Remote monitoring and control of Linux / OpenWrt / Lede devices via port 80, continued
This is the final part of the article, here is the beginning .
Last time I wrote about how I implemented device monitoring, now I’ll talk about management. In discussions with the “technicians” on the part of the Customer, I often meet with limited perception of the capabilities of such small devices (with low memory resources and performance), many believe that “the maximum that we need is to send a reboot, for something more serious we will send a brigade” .
But practice shows that this is not entirely true.
Here is a short list of common typical tasks:
')
And we must not forget that due to a lot of uncertain circumstances in advance, management must be carried out in non-standard conditions, when we cannot connect to the router directly via ip: port and have to just wait for the activity from it. If we abstract, then the dialogue between the server and the router can be represented like this:
The most interesting question: how can a remote router send a certain amount of information? In the last part, I described that on the router, due to limited resources, there is only a “trimmed” wget that works only through GET and nothing else, there is no ftp client or curl. More precisely, we need a universal way, regardless of the features of the image assembly. I stopped using wget. More precisely, how “stopped” - I just had no choice :)
Let's turn to implementation. Suppose your customer wants from zabbix to reboot the router easily and at ease, with a “click of the mouse”. Today we will begin the description of implementation with zabbiksa.
In the menu "Administration" -> "Scripts" add a new script. We call it "Reboot", as a command we prescribe "php /usr/share/zabbix/reboot.php {HOST.HOST}"
Next: Menu “Monitoring” -> “Last data” -> “Right click on the node you need”. This is how the menu will look like after adding the script.
Accordingly, we put the reboot.php script in the / usr / share / zabbix directory (you may have another one, I use the zabbixa root directory).
Reboot.php file
Actually everything. The open question is "how to get the result of the command from the device." Consider the problem in the example with the command ifconfig. You can send this command to the device:
where:
message = `ifconfig` - we assign the output of the ifconfig command to the $ message variable
wget " xn - 80abgfbdwanb2akugdrd3a2e5gsbj.xn - p1ai / a.php - our a.php script that registers routers and accepts messages from them
u = user & p = password! & m = $ message - the credentials and the value of the query variable m - assigns the contents of the $ message variable
-O /tmp/out.txt - output in the /tmp/out.txt file is not needed in this case, but if you do not specify this parameter, wget does not work
Well, the groundwork for the future: I have not yet figured out how to reflect the results (for example, the result of a command) that come to the server as standard zabbix tools.
I remind you that all sources can be taken from the Git-repository
Last time I wrote about how I implemented device monitoring, now I’ll talk about management. In discussions with the “technicians” on the part of the Customer, I often meet with limited perception of the capabilities of such small devices (with low memory resources and performance), many believe that “the maximum that we need is to send a reboot, for something more serious we will send a brigade” .
But practice shows that this is not entirely true.
Here is a short list of common typical tasks:
')
- Network diagnostics and elimination. For the ethernet port of your router, another piece of hardware usually has its own internal ip address. Sometimes, you can (need) “ping”. Or tunnel management - if a tunnel that doesn’t rise on a router working via a 3G modem, the router itself is visible, but we see it.
- System service. Firmware update, service scripts upgrade.
- Balancing act. This could be called "perversions", but the concept of "equilibrist" as, I quote, "the ability of a circus artist to maintain balance in an unstable body position" - is more appropriate. Such situations arise due to the limited budget of the customer. Below cited a couple of examples, but because they have no direct relation to the topic of the narration;
Wi-Fi monitoring
Fashionable last five years, the topic is mainly among the federal retail chains. You slowly walk through the trading rooms, and your mobile phone with Wi-Fi turned on in an attempt to “stick” to a network thread regularly sends Probe Request packages that can be analyzed in order to count you: how often do you come to this store? walk paths and so on. Further data are collected, analyzed, heat maps are drawn and managers for such pictures “beat out” money from management or investors. In the meantime .... "there is no money, but you hold on ...", and the result (real) is already necessary to show, the good old song "Yes, yes, then we of course put tsiski and everything you wish, but now you have to show the customer the result! By the way, they forgot to say, the Customer allowed our equipment to connect to their hotspot via Wi-Fi, but on a general basis, it’s just as if we are guest clients. ” And here you have to do equilibrist routers - several WiFi subinterfaces come up, one of which it clings to the hotspot, and the second monitors the environment, frantically unloads the tcpdump result, and then packs the contents of the file to the archive and risks dying from “overeating” trying to spit out content on a ftp server. It is not surprising that the equilibrist router often “breaks down” and somehow has to be “reanimated” remotely.
Radius
It is easier to describe the situation here with something like the customer’s statement: “We want a decentralized network of hotspots, which would work on equipment whose model is not known in advance, through channels, but which ones we still do not know. Ah, forgot to say, we not only want to show ads to customers, but also to analyze everything around the hotspot installation site. No, we do not yet know why, but we will think up, do not hesitate, we were able to come up with this idea. ”
And we must not forget that due to a lot of uncertain circumstances in advance, management must be carried out in non-standard conditions, when we cannot connect to the router directly via ip: port and have to just wait for the activity from it. If we abstract, then the dialogue between the server and the router can be represented like this:
- Router : Hi. I am such a router, are there any tasks for me?
- Server : such a router, I registered you that you are alive. Here's the challenge: show me the result of the ifconfig command?
- Router : Hi. I am such a router, the last time you asked to show the result of ifconfig, here it is. Are there any tasks for me?
- Server : such a router, I registered you that you are alive. There are no tasks for you.
The most interesting question: how can a remote router send a certain amount of information? In the last part, I described that on the router, due to limited resources, there is only a “trimmed” wget that works only through GET and nothing else, there is no ftp client or curl. More precisely, we need a universal way, regardless of the features of the image assembly. I stopped using wget. More precisely, how “stopped” - I just had no choice :)
Immediately reservation
My management solution is working, but very limited, and I'm sure it’s crooked, even if it suits most of my customers. How it could be done according to the mind - to write a small utility that sends port binary data through the 80th port. Include it (utility) in the router firmware and use bash to access it. But the reality is that: a) you need to quickly b) maybe you should do everything on the existing “zoo of routers” c) “do no harm!” - if the router works and performs other tasks, try to make changes that will affect the existing functionality.
Let's turn to implementation. Suppose your customer wants from zabbix to reboot the router easily and at ease, with a “click of the mouse”. Today we will begin the description of implementation with zabbiksa.
In the menu "Administration" -> "Scripts" add a new script. We call it "Reboot", as a command we prescribe "php /usr/share/zabbix/reboot.php {HOST.HOST}"
Next: Menu “Monitoring” -> “Last data” -> “Right click on the node you need”. This is how the menu will look like after adding the script.
Accordingly, we put the reboot.php script in the / usr / share / zabbix directory (you may have another one, I use the zabbixa root directory).
Security Clause
For clarity of explanation in the script, I use only the id of the router, but I do not use the password. It is not recommended to do this in the working version! Why did I do this: because the big question is where to store passwords to routers? In the zabbixe in the "inventory"? Contradictory practice. Alternatively: restrict external access to the reboot.php file itself
Reboot.php file
<?php // $user = $argv[1]; // . - ! . //$password = $argv[2]; $conn=new mysqli("localhost","db_user","db_password","db_name"); if (mysqli_connect_errno()) { exit(); } $conn->set_charset("utf8"); // "" reboot task users. task . $sql_users=$conn->prepare("UPDATE users SET task='reboot' WHERE id=? AND status='active';"); $sql_users->bind_param('s', $user); $sql_users->execute(); $sql_users->close(); ?> Actually everything. The open question is "how to get the result of the command from the device." Consider the problem in the example with the command ifconfig. You can send this command to the device:
message=`ifconfig`; wget "http://xn--80abgfbdwanb2akugdrd3a2e5gsbj.xn--p1ai/a.php?u=user&p=password!&m=$message" -O /tmp/out.txt where:
message = `ifconfig` - we assign the output of the ifconfig command to the $ message variable
wget " xn - 80abgfbdwanb2akugdrd3a2e5gsbj.xn - p1ai / a.php - our a.php script that registers routers and accepts messages from them
u = user & p = password! & m = $ message - the credentials and the value of the query variable m - assigns the contents of the $ message variable
-O /tmp/out.txt - output in the /tmp/out.txt file is not needed in this case, but if you do not specify this parameter, wget does not work
Why it works crookedly
Because it is a potential security hole. The most innocuous mistake that can happen is if in the output of your command, for example, there is a “&” character. Therefore, it is necessary to filter and all that is sent from the routers and all that comes to the server. Yeah, I'm ashamed, really. In my defense, I can only write - that the whole article is devoted to how to manage routers with unspecified pre-firmware, with pre-defined communication channels.
Well, the groundwork for the future: I have not yet figured out how to reflect the results (for example, the result of a command) that come to the server as standard zabbix tools.
I remind you that all sources can be taken from the Git-repository
Source: https://habr.com/ru/post/446230/
All Articles