LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   SUSE SLE Linux running Zabbix Network monitoing in Amazon Cloud - Blocked port 10051 (http://www.linuxquestions.org/questions/linux-security-4/suse-sle-linux-running-zabbix-network-monitoing-in-amazon-cloud-blocked-port-10051-a-844458/)

xaviercardoza 11-15-2010 06:38 PM

SUSE SLE Linux running Zabbix Network monitoing in Amazon Cloud - Blocked port 10051
 
I am currently running SUSE SLE 11 serve environment with Zabbix network monitoring tool installed which has been configured with PHP, Mysql and Apache all running in the Amazon Could. I am able to remote connect to the server using MYSQL workbench.

I discussed with the Zabbix team before coming here to ask for help on the security issues with regards to the Zabbix agent not being able to connect back to the Zabbix server. In this linux environment I can access the server using Putty SSH to remote logon, remote admin of MYSQL, The Zabbix server can communicate with the Zabbix agent which is called Passive mode but the Zabbix Agent (port 10050) cannot call the Zabbix server which is called Active mode via port 10051.

On the Zabbix agent side running on Windows 2008 server uses port 10050 to communicate there is not firewall running; The Zabbix server is able to make requests to the Zabbix Agent on port 10050 in passive mode for information and it is passed to the Zabbix server no problem. The Agent cannot pass any ‘active’ information because it cannot make contact to the server even through it knows of the IP address or host name of the server.

I have validated with the Zabbix team all the configs required to make their environment work. I have with this team provided them with all the stats which has pointed them to review the Amazon config which I also have verified as working fine (I tested it by removing various ports and testing comms)

The SUSE Linux Firewall is not running and so when I run the telnet session on port 80 it connects fine, and connecting remotely via MYSQL workbench is also fine, but when I telnet to port 10051 it does not work and this is required in order for the Zabbix agent to pass active log information and the Zabbix server is running on port 10051 so it should not be a problem.
I cannot see how the SUSE system is block this port. To this end, I have provided the following outs of the commands

I am new to this linux environment. I am not sure if the Novell AppArmor has anything to do with this issue as well.

My issue is getting the Zabbix Agent to communicate with the Server via port 10051 on the SUSE linux server.


From SUSE SLE 11 linux
1. Netstat –tnpl
2. Iptables –L
3. ifconfig

From Amazon
1. EC2-DESCRIBE-GROUP --region eu-west-1


AMAZON OUTPUT
Internal IP address of SLES Linux 10.227.139.67

EC2-DESCRIBE-GROUP --region eu-west-1

GROUP 855336263726 default default group
PERMISSION 855336263726 default ALLOWS all FROM USER 855336263726 GRPNAME default
PERMISSION 855336263726 default ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
GROUP 855336263726 SuseRemoteAccess Remote Access for Suse
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 22 22 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 23 23 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 25 25 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 443 443 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 3306 3306 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 10050 10050 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS tcp 10051 10051 FROM CIDR 0.0.0.0/0
PERMISSION 855336263726 SuseRemoteAccess ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0

SUSE OUTPUT
IFCONFIG
eth0 Link encap:Ethernet HWaddr 12:31:3C:01:88:B5
inet addr:10.227.139.67 Bcast:10.227.139.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:407271 errors:0 dropped:0 overruns:0 frame:0
TX packets:436269 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:36316784 (34.6 Mb) TX bytes:160328198 (152.9 Mb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1009557 errors:0 dropped:0 overruns:0 frame:0
TX packets:1009557 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:59169261 (56.4 Mb) TX bytes:59169261 (56.4 Mb)

IPTABLES -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

NETSTAT -tnpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4189/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4371/master
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 4530/zabbix_agentd
tcp 0 0 0.0.0.0:10051 0.0.0.0:* LISTEN 4538/zabbix_server
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2012/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1930/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4424/httpd2-prefork

unSpawn 11-16-2010 06:29 AM

Quote:

Originally Posted by xaviercardoza (Post 4160031)
I am new to this linux environment.

- Should MySQL listen on all interfaces (--bind-address=127.0.0.1)?
- Please tell me you don't access the Zabbix server over SSH as root user?


Quote:

Originally Posted by xaviercardoza (Post 4160031)
The SUSE Linux Firewall is not running

Running an OS without firewall exposes services unrestricted, that is a Bad Thing.
* Also having firewall rules ("-j LOG" rules on Linux) can help troubleshooting.


Quote:

Originally Posted by xaviercardoza (Post 4160031)
when I telnet to port 10051 it does not work

"does not work" does not provide a basis for troubleshooting. On the Zabbix agent side what does running tracetcp (requires winpcap) or tcptraceroute (costs you USD 5) against the Zabbix servers external IP address (your panel should show it to be in the 79.125.0.0/17, 46.51.128.0/18 or 46.51.192.0/20 range?) and port 10051 return?
* BTW I somewhat doubt this is a Linux issue. I'll move the thread soon to either /General (non-Linux) or /Networking.

xaviercardoza 11-19-2010 03:20 AM

Thanks
 
Thanks for your response.

I will response shortly. I've been taken away from my testing at the moment.

Will come back soon.

Kind regards
Lazarus.


All times are GMT -5. The time now is 09:14 PM.