Secure Cacti with Net-SNMP and SSH Tunnels
So I finally got around to setting up cacti/snmp on my servers. Here is what I did:
- Installed cacti on the main monitoring server which we'll call slappy. I used the FreeBSD port of cacti. Slappy already had php/mysql/apache installed.
- Added a user snmp to slappy and then I generated keys using ssh-keygen for each of the servers that slappy would be monitoring.
- On each of the servers that slappy would be monitoring I installed net-snmp from the ports tree and configured it to run over tcp on 127.0.0.1 and then I added a user snmp with a nologin shell and without password authentication as I will just be using snmp to create a tunnel to the snmpd process that will be running on localhost.
- Back on slappy I su'ed to the snmp user and created a shell script that would set up the tunnels to each of the servers using a command like this:
ssh -i ~/.ssh/keys/hostname -f -N -L 16101:127.0.0.1:161 hostname
and then added the script as a cronjob. - Finally I added all the servers to cacti using the basic built-in net-snmp support as well as a couple of qmail and mysql scripts.
So I now have a nice collection of graphs for traffic / disk space / processor, memory and mysql load.