Zabbix user-defined parameters with PSK encryption - zabbix

I am trying to configure a user defined parameter on a Windows host. All my hosts are configured with PSK encryption and Zabbix server is able to get data without any issues.
However I cannot figure out how to use the zabbix_get manually with PSK encryption enabled.
zabbix_get -s x.x.x.x -p 10050 -k "internet.connection.check" --tls-connect=psk --tls-psk-identity="name" --tls-psk-file=cannot find any psk file on zabbix server
The problem is I cannot locate any PSK file on the zabbix server. Can I pass the PSK somehow?

The serverside PSK is configured in the GUI and stored in the database.
The Zabbix agent stores the PSK in a file.
I see 3 options:
Manually create a psk-file.
Remember that a change of the key must be done in the GUI, at the agent and in your special file.
Make a script that reads the key from the database.
Remember that direct access to the database of an application is most times forbidden and can cause compatibility issues after updating the application. Read-only access should be possible.
Use the same keys for all your agents;
When you install a Zabbix Agent on the Zabbix Server (allowing you to monitor the server), you do have a file on a normal place.
I wouldn't try to use an API or some smart script during Discovery, this will make the solution hard to maintain. I withdraw my last remark, when you have thousands of servers to monitor and a team working with Zabbix.

Related

PHP MyAdmin Azure App Services - (HY000/2002): An attempt was made to access a socket in a way forbidden by its access permissions

When attempting to connect to the Azure App Services (ASP.NET) MySQL database (Navigating to the Manage link) the Page info returned from PHPMyAdmin prevents me from moving forward. I cannot seem to find the location of the log for the app within Kudu and navigating to the MYSQLCONNSTR_*.ini file did not provide me with the information that I needed.
I've attempted to use the connection strings for the database for both the scm and the web app but neither work. I have also attempted to use the public-facing IP within the Kudu environment variable without any luck.
I cannot seem to find the information I need to connect to my instance of PHPMyAdmin, and am now quite lost.
The solution to my problem was here: https://stackoverflow.com/a/57545678/4212591
The free tier of the Azure Web Service does not allow for the always-on feature. Thus my inability to connect to the service.
I’m unsure on the exact location/path you are looking for that file, the connection string is stored at D:\home\data\mysql\MYSQLCONNSTR_localdb.txt.
If you wish to customize the database, username and password, after you have created a new database, add new username or update password, simply modify:
D:\home\data\mysql\MYSQLCONNSTR_localdb.ini , remove D:\home\data\mysql\MYSQLCONNSTR_localdb.txt and restart the WebApps.
Furthermore, the connection string flows to your application as an env variable MYSQLCONNSTR_localdb. The env is added to the main site process. For Kudu site, one may read the same info from D:\home\data\mysql\MYSQLCONNSTR_localdb.txt file. Beware that we are not using the default MySql port (3306). In fact, the port number may vary for each application life cycle depending on its availability at startup time. The port info is also available as an env variable WEBSITE_MYSQL_PORT to your site.
Ensure that MySQL process is running. Check in your web app application settings if there is a connection string. PHPmyadmin uses MYSQLCONNSTR_ to connect to the MySQL server. If you have a connection string in application setting change the connection string type to Custom , so you can still have the information if needed or delete it. This will force PHPmyadmin to access MYSQLCONNSTR_localdb and connect to the MySQL in-app server.
As a side note, on Azure WebApps Sandbox - Connection attempts to local addresses (e.g. localhost, 127.0.0.1) and the machine's own IP will fail, except if another process in the same sandbox has created a listening socket on the destination port.
To rule out, application code or the client library leaking TCP socket handles or burst load of requests opening too many TCP socket connections at once, scale-up Azure App Service Plan and see if that makes any difference.

mysql-proxy cleartext passwords

I have MySQL proxy running and I have a LUA with a function for read_auth() however the passwords that are passed during authentication are hashed (as expected).
I require them in a format which I can work with and post onwards, so cleartext. Enabling the cleartext plugin on the MySQL client has no effect, I suspect that MySQL proxy is not demanding the client sends it in cleartext so defaults to hashing.
So basically: do you have any ideas on how I would be able to get the clear text authentication details within the read_auth() function of MySQL proxy?
Note: my end goal is to auth with LDAP, however the only way I can get a password (hashed or not) is by actually binding to LDAP, it can not be obtained by searching.
The MySQL network protocol does not allow passwords to be sent in clear-text, all you could capture is the encrypted version.
However, if you are trying to send (from the client to the server) cleartext, the client side clear text plugin should work...
As of MySQL 5.5.27, to make inadvertent use of this plugin less likely, it is required that clients explicitly enable it. This can be done several ways:
Set the LIBMYSQL_ENABLE_CLEARTEXT_PLUGIN environment variable to a value that begins with 1, Y, or y. This enables the plugin for all client connections.
The mysql, mysqladmin, and mysqlslap client programs support an --enable-cleartext-plugin option that enables the plugin on a per-invocation basis.
The mysql_options() C API function supports a MYSQL_ENABLE_CLEARTEXT_PLUGIN option that enables the plugin on a per-connection basis. Also, any program that uses libmysqlclient and reads option files can enable the plugin by including an enable-cleartext-plugin option in an option group read by the client library.
Alternatively, there are a few other options to authenticate with LDAP. For example, you could use the PAM Authentication Plugin that will let you use any available PAM module to provide authentication services, and there is a pam_ldap module that is easy to configure.
You could also look into using roles and mapping the usernames to roles, so you would have a few roles with permissions and many usernames mapped to those roles. You can find further information on that here.
Further Resources:
Cleartext Authentication Plugin
PAM Authentication Plugin
MYSQL Password Hasing
MySQL Proxy Role Based Authentication

Using zabbix_sender for host discovery

I'm writing an application which delivers data from remote devices over an HTTP API. These devices are on a mobile data connection and have limited resources.
I wish to receive custom monitoring data over the HTTP API, relying on the security model designed in the application, and push that data to Zabbix directly (or indirectly) from node.js. I do not wish to use Zabbix Agent on the remote devices.
I see that I can use zabbix_sender to send data to a Zabbix server containing a pre-configured host. This works great. I intend to deliver monitoring data over my custom API, and when received give this data to zabbix_sender inside the server network.
The problem is there are many devices in the field and more are being added all the time.
TL;DR:
When zabbix_sender provides a custom hostname which doesn't exist in Zabbix already, it fails.
I would like to auto-add discovered hosts, based upon new hostnames from zabbix_sender. How would I do this?
Also, extra respect if anyone can give examples of how to avoid zabbix_sender and send data directly from node.js to the Zabbix server. I mean: suggest an NPM package that you have experience using. (Update: Found working node.js package here: https://www.npmjs.com/package/node-zabbix-sender)
Zabbix configuration: I'm learning from Zabbix 2.4 installed in Docker, no custom configuration from this Dockerhub: https://hub.docker.com/r/zabbix/zabbix-2.4/
Probably the best would be to use the Zabbix API to create hosts directly.
Alternatively, you could set up an action and emulate active agent connection, which would make Zabbix create the host via the active agent auto-regstration.
You could also use low level discovery (LLD) to send in JSON, which would result in hosts/items being created, based on prototypes.
In all of these cases you have to wait for one minute (by default) for the hosts to appear in the Zabbix cache, then you can send the data.
Also note that Zabbix 2.4 is not supported anymore, it will receive no fixes - it is not a "long-term support" release.

Connect to MySql database with OpenSSL while on localhost

The MySql server and client are on the same server. In time, they will be on separate machines. We want to establish secure protocols from the get go.
Does it make sense to require SSL on database connections? Or put another way, is there any reason NOT to use SSL?
If I were you, I'd refrain from connecting to localhost, and instead connect to your local machine by using its explicit hostname. I think you're also wise to use TLS / SSL to connect in this configuration if that's what you're expecting to use when you deploy in production.
You may want to ask yourself whether that's worth the trouble, though. If your app - to - mysqld connection is on a private backend network (as it may be) using TLS / SSL may be overkill. It's called "transport layer security" and it pretty much protects against badguys intercepting data going to and from mysql. Your app system will probably have other vulnerabilities that render TLS protection uninteresting. For example, if it's a web app the mysql password is probably hardcoded in a config file someplace. If the badguy wants to look at your data, he need only grab the password and log in to the mysqld. To keep your info safe you need to keep badguys off your private network.
It's a good idea always to paramaterize the hostname, port number, and production password of your mysql database. If those things are parameterized you can then deploy to a staging or production server system simply by changing those parameters.

Hudson cmd.exe running as

Where does hudson CI get user to run the cmd.exe ?
I'm trying to start and stop some remote services on various slaves and special credentials that are different than what hudson is using are needed. I can't find a place to override the user. I've tried running the server as various users, but it doesn't change anything.
Any other ideas?
Since you want to start and stop the services on the remote machine you need to login with these credentials on the remote machine, since I haven't found a way to start and stop a service on remote machine.
There are different ways to do that. You can create a slave that runs on the remote machines with the correct credentials. You can even create more than one slave for the same machine without any issues, than you can use different credentials for the same machine. These can then fire up the net stop and net start command.
You can also use the SSH plugin. This allows you to configure pre- and post-build ssh scripts. You 'just' need and ssh server on the windows machine. The password for the connection will be stored encrypted.
Use a commad line tool. So far I haven't found a Windows on board tool to have a scripted login to the remote machine. I would use plink for that task. plink is the scripted version of putty. Putty supports different connection types. So you can also use the build in telnet service (not recommended since telnet does not encrypt the connection). Disadvantage is that you will have the password unencrypted in the job configuration.
We had a similar problem, and I resorted to using PsExec. To my advantage, our machines exist on a separate LAN, within 2 firewalls, so I was OK with unencrypted passwords floating around. I had also explored SSH w/ Putty, which seemed to work, but not straightforward.
If someone can help with single line runas command, that could work too.
You don't say how your slaves are connected to Hudson, but I'll assume it's through the "hudson slave" service, since that's probably the most popular way to connect Windows slaves.
If so, the CMD.EXE is run with the same permissions as the user running the service. This can be checked by:
1. run services.msc
2. double-click hudson-slave service
3. go to Log On tab
By default, the slave service runs as "LocalSystem", which is the most powerful account on the system. It should be able to do whatever you need it to do. (i.e. start/stop services)