We use a lot of ssh-based checks. Compiling nrpe is difficult to do on some linux-based appliances or other locked-down devices. Most of our checks are custom scripts that execute ssh-based remote commands.
Though not check_mysql specific, here's some guidelines we follow: 1a) Disable root login, use an alternate restricted account if possible) PermitRootLogin = no 1b) If not possible to disable root login, disable root's password-based login PermitRootLogin = without-password 2) Disable Password-based login, use public key authentication only An intruder would have to put a physically place a file on the server to be able to login 3) Restrict the public key to certain IP's 4) Restrict the public key to certain commands (Brian Hatch has a wrapper script to call if you'd like more control) 5) Restrict the public key from port forwarding 6) Install some sort of SSH-banning script like DenyHosts (denyhosts.sourceforge.net) Sample public key we put on the remote server /home/serviceaccount/.ssh/authorized_keys: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,from="1.2.3.4",comm and="/usr/local/bin/check_something" ssh-dss gnm'@j=v-eEQXsAn]FA])QAOWyTzh8jC[<os)pak?;Mq$QnjVsSM#7h[+SORYndjIUrpPYtKhLLq THaFYrdyxrBkOa [EMAIL PROTECTED] The worse that could happen if the private key on the nagios host was compromised is that someone could execute the remote check at their whim (possibly causing a denial of service if the remote check is resource intensive). -----Original Message----- From: Rene Nelson [mailto:[EMAIL PROTECTED] Sent: Thursday, January 05, 2006 1:48 PM To: nagios-users@lists.sourceforge.net Subject: [Nagios-users] check_mysql I want to check this via check_by_ssh, but do not want to use the root user nor password. (not too excited about leaving it in a clear text .cfg file) Is there a way to get the same information using a read-only user with no password? Is there a best practices for Check_MySQL via check_by_ssh? ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
