1 |
|
2 |
Are my servers available to people on Internet? |
3 |
----------------------------------------------- |
4 |
2002-09-02 Dobrica Pavlinusic <dpavlin@rot13.org> |
5 |
|
6 |
|
7 |
That same question bothered me for a long time. My situation is not unique: |
8 |
|
9 |
|
10 |
Internet <--> DMZ <--> internal network and server running mon |
11 |
|
12 |
|
13 |
I could check servers which are on my internal network, in DMZ or on |
14 |
Internet, but none of that checks actually helped me to know if external |
15 |
user somewhere on Internet could reach my services. |
16 |
|
17 |
|
18 |
After a while, I developed several methods for answering my question: |
19 |
|
20 |
1. test if internal services are available |
21 |
|
22 |
2. test outside IP addresses (which are unavailable from internal |
23 |
network directly) using socks proxy located in DMZ (using |
24 |
socksch.monitor for that) |
25 |
|
26 |
3. install probes on various hosts on Internet which try to connect to |
27 |
my services and report success or failures. |
28 |
|
29 |
|
30 |
While first approach is required and second one is good good (and it doesn't hurt to check it), third one is really "Joe surfer" experience. |
31 |
|
32 |
So, let's see how to setup such a thing... |
33 |
|
34 |
|
35 |
|
36 |
Typical example of such probe is: |
37 |
|
38 |
----- webmail.cgi ----- |
39 |
|
40 |
#!/bin/sh |
41 |
|
42 |
echo Content-type: text/plain |
43 |
echo |
44 |
|
45 |
exec wget -O /dev/null http://webmail.foo.bar 2>&1 |
46 |
|
47 |
----------------------- |
48 |
|
49 |
|
50 |
What would I get if I tried to access webmail.cgi URI? Well, I would get |
51 |
output of wget which (if successful) would say that it saved page to |
52 |
/dev/null. I will use that to check if service is available using |
53 |
|
54 |
|
55 |
monitor lwp-http.mon -d /~dpavlin/test/webmail.cgi -r '(saved|302 Found)' |
56 |
|
57 |
|
58 |
I'm adding "302 Found" to valid regex so that I can accept redirects to |
59 |
secure http servers (https) with wget without ssl support. |
60 |
|
61 |
|
62 |
Now that I solved that, all I had to do is to sit and wait if my probes are |
63 |
working. However, soon one of my "probe servers" on Internet failed and I got |
64 |
numerous alerts because one server, outside my responsibility, wasn't |
65 |
available. What now? |
66 |
|
67 |
I decided to add multiple probe servers on Internet for same service and to |
68 |
modify some mon monitors to return success if at least one of those servers is |
69 |
available. |
70 |
|
71 |
At this moment, that new option (-o) is available in: |
72 |
|
73 |
lwp-http.mon |
74 |
anon_ftp.mon |
75 |
|
76 |
[It's implemented in anon_ftp.mon because anonymous ftp servers report |
77 |
error if there is too much users connected at the same time, and that |
78 |
doesn't actually mean that the server is not working]. |
79 |
|
80 |
So, I have following architecture: |
81 |
|
82 |
|
83 |
Internet DMZ internal network |
84 |
|
85 |
host A [webmail.cgi]----+ |
86 |
>--------o------------------ mon host |
87 |
host B [webmail.cgi]----+ |
88 |
|
89 |
|
90 |
This way, one of hosts can fail and if other one responds, I'm still safe. |
91 |
|