munin-node-win32-cygwin
is easiest run via a password-less ssh session, secured by RSA key.
However, adding an sshd service to a client machine opens the possibility of attack.
If PasswordAuthentication
is enabled, brute force attacks against the client are possible.
Running on a port other than 22
may reduce this somewhat. In general, having an sshd port
open to the internet means you will be attacked rather quickly. Port scanners are constantly
looking for targets.
When using an RSA key, the client is still at risk from a compromised account on the munin server.
This can be mitigated by specifying a command in the authorized_keys
file, rather than permitting
shell access.
munin-node-win32-cygwin
uses a set of executable programs (plugins) to produce out. If the
plugins
directory is writable, an attacker could add plugins that will be executed.
To minimize risks, the owning account should be used for munin and nothing else.
munin-node-win32-cygwin
requires Cygwin, Perl, and the Win32::OLE
perl module.
Because the Win32:OLE
module is not available pre-compiled, you will also need
gcc-core
, g++
, and the libcrypt-devel
library.
In order to connect to and run the node client, the
On the client in ~user/.ssh/authorized_keys
ssh-rsa AAAAB2AC1...(RSA KEY)... root@server.domain.com
Optionally the client can provide the command in authorized_keys
. This is more secure.
command="cd ./munin-node; /usr/bin/perl -T ./munin-node.pl",no-agent-forwarding,no-portforwarding,no-X11-forwarding,no-user-rc,no-pty ssh-rsa AAAAB2AC1...(RSA KEY)... root@server.domain.com
/usr/local/etc/munin/munin.conf
[hostname]
address ssh://user@hostname -t -t -t "cd ./munin-node; ./munin-node.pl"