1 |
dpavlin |
1.1 |
|
2 |
|
|
Are my servers available to people on Internet? |
3 |
|
|
----------------------------------------------- |
4 |
|
|
2002-09-02 Dobrica Pavlinusic <dpavlin@rot13.org> |
5 |
|
|
|
6 |
|
|
|
7 |
|
|
That same question bothered me for a long time. My situation is not unique: |
8 |
|
|
|
9 |
|
|
|
10 |
|
|
Internet <--> DMZ <--> internal network and server running mon |
11 |
|
|
|
12 |
|
|
|
13 |
|
|
I could check servers which are on my internal network, in DMZ or on |
14 |
|
|
Internet, but none of that checks actually helped me to know if external |
15 |
|
|
user somewhere on Internet could reach my services. |
16 |
|
|
|
17 |
|
|
|
18 |
|
|
After a while, I developed several methods for answering my question: |
19 |
|
|
|
20 |
|
|
1. test if internal services are available |
21 |
|
|
|
22 |
|
|
2. test outside IP addresses (which are unavailable from internal |
23 |
|
|
network directly) using socks proxy located in DMZ (using |
24 |
|
|
socksch.monitor for that) |
25 |
|
|
|
26 |
|
|
3. install probes on various hosts on Internet which try to connect to |
27 |
|
|
my services and report success or failures. |
28 |
|
|
|
29 |
|
|
|
30 |
|
|
While first approach is required and second one is good good (and it doesn't hurt to check it), third one is really "Joe surfer" experience. |
31 |
|
|
|
32 |
|
|
So, let's see how to setup such a thing... |
33 |
|
|
|
34 |
|
|
|
35 |
|
|
|
36 |
|
|
Typical example of such probe is: |
37 |
|
|
|
38 |
|
|
----- webmail.cgi ----- |
39 |
|
|
|
40 |
|
|
#!/bin/sh |
41 |
|
|
|
42 |
|
|
echo Content-type: text/plain |
43 |
|
|
echo |
44 |
|
|
|
45 |
|
|
exec wget -O /dev/null http://webmail.foo.bar 2>&1 |
46 |
|
|
|
47 |
|
|
----------------------- |
48 |
|
|
|
49 |
|
|
|
50 |
|
|
What would I get if I tried to access webmail.cgi URI? Well, I would get |
51 |
|
|
output of wget which (if successful) would say that it saved page to |
52 |
|
|
/dev/null. I will use that to check if service is available using |
53 |
|
|
|
54 |
|
|
|
55 |
|
|
monitor lwp-http.mon -d /~dpavlin/test/webmail.cgi -r '(saved|302 Found)' |
56 |
|
|
|
57 |
|
|
|
58 |
|
|
I'm adding "302 Found" to valid regex so that I can accept redirects to |
59 |
|
|
secure http servers (https) with wget without ssl support. |
60 |
|
|
|
61 |
|
|
|
62 |
|
|
Now that I solved that, all I had to do is to sit and wait if my probes are |
63 |
|
|
working. However, soon one of my "probe servers" on Internet failed and I got |
64 |
|
|
numerous alerts because one server, outside my responsibility, wasn't |
65 |
|
|
available. What now? |
66 |
|
|
|
67 |
|
|
I decided to add multiple probe servers on Internet for same service and to |
68 |
|
|
modify some mon monitors to return success if at least one of those servers is |
69 |
|
|
available. |
70 |
|
|
|
71 |
|
|
At this moment, that new option (-o) is available in: |
72 |
|
|
|
73 |
|
|
lwp-http.mon |
74 |
|
|
anon_ftp.mon |
75 |
|
|
|
76 |
|
|
[It's implemented in anon_ftp.mon because anonymous ftp servers report |
77 |
|
|
error if there is too much users connected at the same time, and that |
78 |
|
|
doesn't actually mean that the server is not working]. |
79 |
|
|
|
80 |
|
|
So, I have following architecture: |
81 |
|
|
|
82 |
|
|
|
83 |
|
|
Internet DMZ internal network |
84 |
|
|
|
85 |
|
|
host A [webmail.cgi]----+ |
86 |
|
|
>--------o------------------ mon host |
87 |
|
|
host B [webmail.cgi]----+ |
88 |
|
|
|
89 |
|
|
|
90 |
|
|
This way, one of hosts can fail and if other one responds, I'm still safe. |
91 |
|
|
|