1 |
|
2 |
Are my servers available to people on Internet? |
3 |
----------------------------------------------- |
4 |
2002-09-02 Dobrica Pavlinusic <dpavlin@rot13.org> |
5 |
|
6 |
|
7 |
That same question bothered me for a long time. My situation is not unique: |
8 |
|
9 |
|
10 |
Internet <--> DMZ <--> internal network and server running mon |
11 |
|
12 |
|
13 |
I could check servers which are on my internal network, in DMZ or on |
14 |
Internet, but none of that checks actually helped me to know if external |
15 |
user somewhere on Internet could reach my services. |
16 |
|
17 |
|
18 |
After a while, I developed several methods for answering my question: |
19 |
|
20 |
1. test if internal services are available |
21 |
|
22 |
2. test outside IP addresses (which are unavailable from internal |
23 |
network directly) using socks proxy located in DMZ (using |
24 |
socksch.monitor for that) |
25 |
|
26 |
3. install probes on various hosts on Internet which try to connect to |
27 |
my services and report success or failures. |
28 |
|
29 |
|
30 |
While first approach is required and second one is good good (and it doesn't |
31 |
hurt to check it), third one is really "Joe surfer" experience. |
32 |
|
33 |
So, let's see how to setup such a thing... |
34 |
|
35 |
|
36 |
|
37 |
Typical example of such probe is: |
38 |
|
39 |
----- webmail.cgi ----- |
40 |
|
41 |
#!/bin/sh |
42 |
|
43 |
echo Content-type: text/plain |
44 |
echo |
45 |
|
46 |
exec wget -O /dev/null http://webmail.foo.bar 2>&1 |
47 |
|
48 |
----------------------- |
49 |
|
50 |
|
51 |
What would I get if I tried to access webmail.cgi URI? Well, I would get |
52 |
output of wget which (if successful) would say that it saved page to |
53 |
/dev/null. I will use that to check if service is available using |
54 |
|
55 |
|
56 |
monitor lwp-http.mon -d /~dpavlin/test/webmail.cgi -r '(saved|302 Found)' |
57 |
|
58 |
|
59 |
I'm adding "302 Found" to valid regex so that I can accept redirects to |
60 |
secure http servers (https) with wget without ssl support. |
61 |
|
62 |
|
63 |
Now that I solved that, all I had to do is to sit and wait if my probes are |
64 |
working. However, soon one of my "probe servers" on Internet failed and I got |
65 |
numerous alerts because one server, outside my responsibility, wasn't |
66 |
available. What now? |
67 |
|
68 |
I decided to add multiple probe servers on Internet for same service and to |
69 |
modify some mon monitors to return success if at least one of those servers is |
70 |
available. |
71 |
|
72 |
At this moment, that new option (-o) is available in: |
73 |
|
74 |
lwp-http.mon |
75 |
anon_ftp.mon |
76 |
|
77 |
[It's implemented in anon_ftp.mon because anonymous ftp servers report |
78 |
error if there is too much users connected at the same time, and that |
79 |
doesn't actually mean that the server is not working]. |
80 |
|
81 |
So, I have following architecture: |
82 |
|
83 |
|
84 |
Internet DMZ internal network |
85 |
|
86 |
host A [webmail.cgi]----+ |
87 |
>--------o------------------ mon host |
88 |
host B [webmail.cgi]----+ |
89 |
|
90 |
|
91 |
This way, one of hosts can fail and if other one responds, I'm still safe. |
92 |
|