Securing connection to check_mk agent with stunnel

Check_mk is quite nice to monitor hosts in your own network, however if you have remote server that you would like to monitor it’s not so secure, because check_mk agent is sending all its data as clear text. Of course you can limit connection to only one remote ip with firewall, or even with xinetd, but what about monitoring hosts running on dynamic external IP or even scuring data transfer between hosts. You simply cannot put DNS name to firewall or xinetd, that’s why you can use stunnel to secure connection.

It will act in two ways:

  • securing data transfer through the internet
  • adding authentication layer in front of check_mk agent

Please follow this how-to, it will show you how to secure connection between check_mk server running CentOS 7 and check_mk agent running on CentOS 7. This how to is not describing the way to install cehck_mk nor check_mk agent on the hosts.

Both sites (remote site and check_mk site)

First of all install install stunnel form CentOS 7 base repo:

yum install stunnel

After installation was completed you have to create systemd unit file for this service in /etc/systemd/system/stunnel.service:

[Unit]
Description=SSL tunnel for network daemons
After=syslog.target network.target
 
[Service]
ExecStart=/usr/bin/stunnel
Type=forking
PrivateTmp=true
 
[Install]
WantedBy=multi-user.target

Now you are ready to configure stunnel.

Server site (where check_mk server lives)

Now you are ready to configure stunnel (/etc/stunnel/stunnel.conf):

client = yes
[check_mk_remote]
cert = /etc/pki/tls/certs/[cert_name].pem
accept = 127.0.0.1:6557
connect = [remote_ip]:6556

The cert file that is mentioned in config file will be generated on the remote site, so just copy the cert after you’ve generated it and then you can enable and start service.

systemctl enable stunnel.service
systemctl start stunnel.service

After that we can set up remote site.

Remote site (host which you would like to monitor)

This is how the configuration of stunnel should look like:

cert = /etc/pki/tls/certs/stunnel.pem
sslVersion = TLSv1
setuid = nobody
setgid = nobody
pid = /tmp/stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log
 
[check_mk_agent]
accept = [external_ip_of_remote_location]:6556
connect = localhost:6556 TIMEOUTclose = 0

As you can see above there is a cert that is used in this config. We should generate it:

openssl req -new -x509 -days 3650 -nodes -out /etc/pki/tls/certs/stunnel.pem -keyout /etc/pki/tls/certs/stunnel.pem
dd if=/dev/urandom count=2 | openssl dhparam -rand - 512 >> /etc/pki/tls/certs/stunnel.pem

During the generation process you will have to answer few questions. Second command will generate DH parameters and will append them to the cert file.

Of course there is one more thing to do: enable logging.

touch /var/log/stunnel.log
chown nobody:nobody /var/log/stunnel.log

Before starting services we should edit check_mk.socket systemd unit:

(add 127.0.0.1 to ListenStream in /etc/systemd/system/check_mk.socket)

# systemd socket definition file
[Unit]
Description=Check_MK Agent Socket
 
[Socket]
ListenStream=127.0.0.1:6556
Accept=true
 
[Install]
WantedBy=sockets.target

Now we are ready to enable and start the services:

systemctl enable check_mk.socket
systemctl start check_mk.socket
systemctl enable stunnel.service
systemctl start stunnel.service

Add host in check_mk

The last step is to add the host in the check_mk.

Basically you should add host as usual just configuring some additional parameters:

IPv4 Address should be changed to the localhost and you should create the rule for tcp port of agent for this host:

Adding another hosts this way

You can add as many hosts as you wish, all you need to do is just multiply section [check_mk_remote] on monitoring hosts (of course changing name and port for each section) and add more rules in check_mk.

You can even add another services this way. Just modify stunnel.conf file accordingly.

Have fun!

Tagged with: , , , , ,

Leave a Reply