Check_mk is quite nice to monitor hosts in your own network, however if you have remote server that you would like to monitor it’s not so secure, because check_mk agent is sending all its data as clear text. Of course you can limit connection to only one remote ip with firewall, or even with xinetd, but what about monitoring hosts running on dynamic external IP or even scuring data transfer between hosts. You simply cannot put DNS name to firewall or xinetd, that’s why you can use stunnel to secure connection.
It will act in two ways:
- securing data transfer through the internet
- adding authentication layer in front of check_mk agent
Please follow this how-to, it will show you how to secure connection between check_mk server running CentOS 7 and check_mk agent running on CentOS 7. This how to is not describing the way to install cehck_mk nor check_mk agent on the hosts.
Both sites (remote site and check_mk site)
First of all install install stunnel form CentOS 7 base repo:
yum install stunnel
After installation was completed you have to create systemd unit file for this service in /etc/systemd/system/stunnel.service:
[Unit] Description=SSL tunnel for network daemons After=syslog.target network.target [Service] ExecStart=/usr/bin/stunnel Type=forking PrivateTmp=true [Install] WantedBy=multi-user.target
Now you are ready to configure stunnel.
Server site (where check_mk server lives)
Now you are ready to configure stunnel (/etc/stunnel/stunnel.conf):
client = yes [check_mk_remote] cert = /etc/pki/tls/certs/[cert_name].pem accept = 127.0.0.1:6557 connect = [remote_ip]:6556
The cert file that is mentioned in config file will be generated on the remote site, so just copy the cert after you’ve generated it and then you can enable and start service.
systemctl enable stunnel.service systemctl start stunnel.service
After that we can set up remote site.
Remote site (host which you would like to monitor)
This is how the configuration of stunnel should look like:
cert = /etc/pki/tls/certs/stunnel.pem sslVersion = TLSv1 setuid = nobody setgid = nobody pid = /tmp/stunnel.pid socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 output = /var/log/stunnel.log [check_mk_agent] accept = [external_ip_of_remote_location]:6556 connect = localhost:6556 TIMEOUTclose = 0
As you can see above there is a cert that is used in this config. We should generate it:
openssl req -new -x509 -days 3650 -nodes -out /etc/pki/tls/certs/stunnel.pem -keyout /etc/pki/tls/certs/stunnel.pem dd if=/dev/urandom count=2 | openssl dhparam -rand - 512 >> /etc/pki/tls/certs/stunnel.pem
During the generation process you will have to answer few questions. Second command will generate DH parameters and will append them to the cert file.
Of course there is one more thing to do: enable logging.
touch /var/log/stunnel.log chown nobody:nobody /var/log/stunnel.log
Before starting services we should edit check_mk.socket systemd unit:
(add 127.0.0.1 to ListenStream in /etc/systemd/system/check_mk.socket)
# systemd socket definition file [Unit] Description=Check_MK Agent Socket [Socket] ListenStream=127.0.0.1:6556 Accept=true [Install] WantedBy=sockets.target
Now we are ready to enable and start the services:
systemctl enable check_mk.socket systemctl start check_mk.socket systemctl enable stunnel.service systemctl start stunnel.service
Add host in check_mk
The last step is to add the host in the check_mk.
Basically you should add host as usual just configuring some additional parameters:
IPv4 Address should be changed to the localhost and you should create the rule for tcp port of agent for this host:
Adding another hosts this way
You can add as many hosts as you wish, all you need to do is just multiply section [check_mk_remote] on monitoring hosts (of course changing name and port for each section) and add more rules in check_mk.
You can even add another services this way. Just modify stunnel.conf file accordingly.
Can you please explain add host in check_mk since that doesnt work . adding screenshots will be great
Hi, sorry I’ve just fixed permissions with media. Now it should be better, as there are some screenshots.
I‘m using the builtin Encryption (Host & Service Parameters ➳ Access to agents ➳ Encryption)
Yes you are right. However built in encryption is available since version 1.4.0.