Setup Zabbix agent through SSH tunnel on Debian

Prerequisites

  • Fully configured Zabbix server

Setup server

  • Install ssh and autossh:
apt-get install ssh autossh
  • Run ssh-keygen as root, to create a keypair for logging in without password. By default the private key has to be saved to /root/.ssh/id_rsa.
  • Edit the file /etc/rc.local and add the following line (above “exit 0″):
/usr/bin/autossh -fN -M 20150 -L 10150:localhost:10050 zabbixagent@yourserver.com
  • The “f” tells autossh to run in background. “N” disables the execution of remote commands (which isn’t necessary for port forwarding). “M” specifies the port for monitoring. It can be any free port. 10150 is the local port number for the Zabbix agent (you can choose any free port number here as well). 10050 is the listening port of the Zabbix agent specified later in /etc/zabbix/zabbix_agentd.conf on the client (see Setup client).

Setup client

  • Install Zabbix agent and ssh server:
apt-get install zabbix-agent ssh
  • Configure sshd (/etc/ssh/sshd_config) according to your wishes (i. e. disable password and root login)
  • Edit /etc/zabbix/zabbix_agentd.conf end remove the comment in front of the line “ListenIP=127.0.0.1″. If you want to use active checks also provide a hostname. Also make sure that “ListenPort” is set to the same port as provided in the autossh command on the Zabbix server (default 10050).
  • Restart the Zabbix agent:
/etc/init.d/zabbix-agent restart
  • Create a new user named zabbixagent:
adduser --system --group zabbixagent
  • Copy the previously generated file /root/.ssh/id_rsa.pub from the server to /home/zabbixagent/.ssh/authorized_keys
  • Make sure the permissions are correctly on /home/zabbixagent/.ssh and the containing files (owner and group: zabbixagent). If you are not sure, just run:
chown -R zabbixagent:zabbixagent /home/zabbixagent
chmod 440 /home/zabbixagent/.ssh/authorized_keys
  • Now try to login from the server. You should not be prompted for a password:
ssh zabbixagent@yourserver.com
  • Start autossh on the server or restart the server:
/etc/init.d/rc.local start
  • You can run “netstat -pln” to see if ssh is listening on port 10150.
  • Now create a new host. IP address 127.0.0.1 and port 10150.

  • And Voila! There you have a secure solution for monitoring.

Troubleshooting

  • If you get the error “Got empty string from [127.0.0.1]…” try changing “Server=localhost” into “Server=127.0.0.1″ in /etc/zabbix/zabbix_agentd.conf.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>