search

Cacti / cacti

Cacti ™
http://www.cacti.net
GNU General Public License v2.0
1.6k stars 398 forks source link

Unauthorized agents should be recorded into logs #5725

Closed bmfmancini closed 2 months ago

bmfmancini commented 2 months ago

If you dont have a reverse DNS or IP set for the remote poller to verify the main poller an error reporting you are not authorized to use this service should appear

However I am seeing it does not

here is the function 


    if (get_nfilter_request_var('action') == 'runquery') {
        db_force_remote_cnn();
    }

    $poller_db_cnn_id = $remote_db_cnn_id;
} else {
    $poller_db_cnn_id = false;
}

if (!remote_client_authorized()) {
    print 'FATAL: Client authorization failed.  You are not authorized to use this service';
    exit;
}

set_default_action();

function remote_client_authorized() {
    global $config, $poller_db_cnn_id;

    /* don't allow to run from the command line */
    $client_addr = get_client_addr();
    if ($client_addr === false) {
        return false;
    }

    if (!filter_var($client_addr, FILTER_VALIDATE_IP)) {
        cacti_log('ERROR: Invalid remote agent client IP Address.  Exiting');
        return false;
    }

    $client_name = gethostbyaddr($client_addr);

    if ($client_name == $client_addr) {
        cacti_log('NOTE: Unable to resolve hostname from address ' . $client_addr, false, 'WEBUI', POLLER_VERBOSITY_MEDIUM);
    } else {
        $client_name = remote_agent_strip_domain($client_name);
    }

    $pollers = db_fetch_assoc('SELECT * FROM poller WHERE disabled = ""', true, $poller_db_cnn_id);

    if (cacti_sizeof($pollers) > 1) {
        foreach($pollers as $poller) {
            if (remote_agent_strip_domain($poller['hostname']) == $client_name) {
                return true;
            } elseif ($poller['hostname'] == $client_addr) {
                return true;
            }
        }
    }

    cacti_log("Unauthorized remote agent access attempt from $client_name ($client_addr)");

    return false;
}

``
bmfmancini commented 2 months ago

image

Viewing device on Master that is located on remote

image

Remote Poller Log does not record the access attempt

2024-04-13 11:36:05 - SYSTEM MAINT STATS: Time:0.01
2024-04-13 11:36:04 - SYSTEM STATS: Time:1.1237 Method:spine Processes:1 Threads:1 Hosts:1 HostsPerProcess:1 DataSources:1 RRDsProcessed:0
2024-04-13 11:35:05 - SYSTEM MAINT STATS: Time:0.02
2024-04-13 11:35:04 - SYSTEM STATS: Time:1.1288 Method:spine Processes:1 Threads:1 Hosts:1 HostsPerProcess:1 DataSources:1 RRDsProcessed:0
2024-04-13 11:34:05 - SYSTEM MAINT STATS: Time:0.02
2024-04-13 11:34:04 - SYSTEM STATS: Time:1.1233 Method:spine Processes:1 Threads:1 Hosts:1 HostsPerProcess:1 DataSources:1 RRDsProcessed:0

Main poller does not record the error as a unauthorized user but records

024-04-13 11:37:04 - SYSTEM STATS: Time:1.2344 Method:spine Processes:1 Threads:1 Hosts:1 HostsPerProcess:1 DataSources:5 RRDsProcessed:0
2024-04-13 11:36:18 - CMDPHP PHP ERROR WARNING Backtrace: (/host.php[143]:api_device_ping_device(), /lib/api_device.php[1504]:file_get_contents(), CactiErrorHandler())
2024-04-13 11:36:18 - ERROR PHP WARNING: file_get_contents(http://foo.bar.com/cacti/remote_agent.php?action=ping&host_id=2): Failed to open stream: HTTP request failed! in file: /var/www/html/cacti/lib/api_device.php on line: 1504
TheWitness commented 2 months ago

Can you do a pull request @bmfmancini ?

bmfmancini commented 2 months ago

That function is what already there I'll do some debug haven't spent much time on it yet

TheWitness commented 2 months ago

Can the remote data collector even reach foo.bar.com? If it can not reach it, of course it will error out and the main data collector will never log an issue.

bmfmancini commented 2 months ago

the poller IP is correct but the hostname is differnt So the main can reach the remote but it will not be authorized to admin any devices on it

TheWitness commented 2 months ago

So, the warning should be at the remote or at the main?

bmfmancini commented 2 months ago

Main you should get an error your not authorized to use this service

Remote you should see an error unauthorized attempt or something like that

On Sun, Apr 14, 2024, 13:45 TheWitness @.***> wrote:

So, the warning should be at the remote or at the main?

— Reply to this email directly, view it on GitHub https://github.com/Cacti/cacti/issues/5725#issuecomment-2054132040, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGEXTDJPQHPSYNPOQFV4LTY5K6EPAVCNFSM6AAAAABGFRS7G2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJUGEZTEMBUGA . You are receiving this because you were mentioned.Message ID: @.***>

bmfmancini commented 2 months ago

To test this

Have a remote setup and change the hostname only of the remote poller not the dB hostname just the collector hostname

On Sun, Apr 14, 2024, 13:47 Sean Mancini @.***> wrote:

Main you should get an error your not authorized to use this service

Remote you should see an error unauthorized attempt or something like that

On Sun, Apr 14, 2024, 13:45 TheWitness @.***> wrote:

So, the warning should be at the remote or at the main?

— Reply to this email directly, view it on GitHub https://github.com/Cacti/cacti/issues/5725#issuecomment-2054132040, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADGEXTDJPQHPSYNPOQFV4LTY5K6EPAVCNFSM6AAAAABGFRS7G2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJUGEZTEMBUGA . You are receiving this because you were mentioned.Message ID: @.***>

TheWitness commented 2 months ago

So, the current error is not good enough?

TheWitness commented 2 months ago

Or would you like it more meaningful? I would want to de-bounce notification for something like this for sure.

bmfmancini commented 2 months ago

It seems to be a regression

Usually the remote would log that an error has occurred and the main would display an authorization failure not thag it cannot connect to the poller

bmfmancini commented 2 months ago

This is good now :+1: