Pandora: Documentation en: RemoteManagement

From Pandora FMS Wiki
Jump to: navigation, search

Go back to Pandora FMS documentation index

1 Remote system management with Pandora FMS

1.1 Introduction

Pandora FMS is a monitoring tool, and given its philosophy, it doesn't use the agents to connect us to the equipment, so it uses other methods to allow operators to remotely control the monitored systems. Some systems, such as routers and switches can be managed by Telnet or SSH and in order to access them you only need to launch the command. To do this, we will use an optional extension based on the Anytermd tool that has not been installed as standard since version 7.0. It is present in the Pandora FMS module library [1]

The standard tool in Pandora FMS to have access to remote systems (be it windows, mac or Windows) is eHorus [2], a remote control tool that since it's WEB, it is totally integrated in the Pandora FMS interface.

1.2 Using eHorus with Pandora FMS

eHorus is a remote management system that relies on the cloud (SaaS) to connect to the computers, regardless of changes in IP, firewalls or other problems discussed previously.

Remote-computer-access-schema.png

To enable it, it is necessary to activate the integration in its configuration section.

Ehorus setup.png

After that, it will be necessary to enter a valid login from a service user. This user will be used to authorize the remote connection to the provided agents.

It is possible, although probably not necessary, to use another eHorus provider editing the fields API Hostname (switch.ehorus.com by default) and API Port (18080 by default).



Ehorus setup full.png



Info.png

Remember to check if the connection works properly before saving the changes

 


Once the connection is configured, you'll be able to check that a new custom field appears in the agent view, called eHorusID. This field should contain the eHorus agent ID to be managed. YOu can find this ID in several places, such as the eHorus agent running on the machine or in the eHorus Portal (see image).



Ehorus agent id.png



If you are using Pandora FMS agents 7.0 or higher, they already automatically support a parameter to automatically obtain the eHorus ID, through the following configuration token:

ehorus_conf <path> 

The configuration token supports the absolute path to a valid configuration file of an eHorus agent. The agent will create a custom field called eHorusID that contains the identification key of the eHorus agent.

Info.png

The eHorus agent to be managed must be visible by the configured user in the configuration section of the integration.

 


When the Pandora FMS agent has defined the ID of the eHorus agent in its customized field, the administrator users or those that have management permissions of the agent, will see a new tab in the agent menu from which they will be able to use the eHorus client from inside Pandora FMS.

The ehorus id (EKID) is entered in this custom field of the agent:

Ehorus pandora custom.jpg

Once configured, just click on any of the sections that the remote control extension with ehorus of that agent presents: remote control via Shell, remote desktop, process view, services or copy files:

Ehorus submenu.jpg
Ehorus c1.jpg

We always recommend using a local password in the eHorus agent. If configured, we will be prompted interactively:

Ehorus c2.jpg

Once authenticated, we can access the interactive command line session (linux, mac and windows) with root permissions:

Ehorus c3.jpg

And the same goes for managing remote processes and copying files (both upload and download):

Ehorus c4.jpg
Ehorus c5.jpg

And of course, the remote desktop (windows, linux and mac):

Ehorus d1.jpg

Info.png

For more information about eHorus, you can visit their website [3]. eHorus is free up to 10 computers. eHorus is developed by the same team that made Pandora FMS possible.

 


Template warning.png

If you are running Pandora FMS on Windows, download the Mozilla CA certificate store in PEM format and add curl.cainfo={path}\cacert.pem to the php.ini file.

 


1.3 Connecting to remote systems using SSH and/or Telnet with Pandora FMS

There is an extension that allows users to connect directly with remote devices via SSH or SSH. This can be done with the "Remote gateway"extension. This component needs a special configuration, which is not installed "by default" in most Pandora FMS installations, more information and downloads in the library of Pandora FMS modules. [4]

Template warning.png

This extension does not work well with modern versions of Centos/RHEL due to security restrictions in the internal call forkptt (). We recommend using eHorus to replace this functionality. More info.

 


Ssh snapshot1.png



Ssh snapshot2.png



Pandora FMS uses a tool called "anytermd", to create a kind of proxy between the user's browser and the remote destination. This tool launches a daemon, listening on a port, that executes a command, diverting all the contents of the connection to the user's browser. This means that all connections are made from the Pandora FMS server, and that the Pandora server has to have installed the ssh and telnet clients of the system. This would be an architecture of the system:



Anytermd.png



1.3.1 Installation and configuration

The source code is located in extras/anytermd in the SVN repository of the project. Additionally it can be found as RPM and tarball packages in the official downloads of the project.

Make sure you have installed the packages: gcc-c++, make, boost-devel and zlib-devel.

Execute:

make

Then manually install the binary in /usr/bin

cp anytermd /usr/bin

To run the server daemon, you will have to do it "by hand", since it does not start with the server or Pandora console. The SSH/Telnet remote connection extension will use a different port for each type of connection, SSH 8022 and Telnet 8023.

It has a boot script for anytermd in contrib/anytermd. Copy it to /etc/init. d/anytermd and run it this way to boot it:

/etc/init.d/anytermd start

By default it uses the user "pandora" for its execution, if you want to change it, modify the script.

Info.png

Make sure that ports 8022 and 8023 are free and open from the user browser to the server where the Pandora's console and anytermd runs.

 


1.3.1.1 Securization of Anytermd installation

For security reasons, we recommend restricting access to ports 8022 and 8023 so that only authorized systems can access them. To do this, we recommend using firewall rules (iptables on Linux):

On the host where Anytermd runs:

iptables -I INPUT -p tcp --dport 8023 -s <source_ip> -j ACCEPT
iptables -I INPUT -p tcp --dport 8022 -s <source_ip> -j ACCEPT

Where <source_ip> is the IP of the user/browser that will have access to this functionality.


Go back to Pandora FMS Documentation Index