MRTG how safe is it?

Martin Schwenke martin at meltin.net
Tue Sep 18 10:03:54 EST 2001 

>>>>> "Stephen" == Stephen Granger <linux-boy at acenet.com.au> writes:

    Stephen> Just on Simon's comment on why don't I just run mrtg
    Stephen> locally, instead of returning input through a port. You
    Stephen> can't always assume that I will be running mrtg, and a
    Stephen> web server (apache of course) on the same machine I'll be
    Stephen> monitoring. Therefore, I can monitor CPU load from a
    Stephen> remote machine, and only have to run mrtg and apache on
    Stephen> the one machine.

If there's a significant piece of network between the machine you're
monitoring and where you want to view the MRTG graphs (for me, that
means any piece of public network), I would run MRTG on the machine
you're monitoring.  You can tell MRTG to dump the graphs into a place
where you can then fetch them via rsync (probably run an rsyncd, with
a nice tight security configuration, supported by some firewall rules)
and stick them into a web server's document tree.  That way you can
tie down SNMP, both in its configuration and via firewall rules.  One
of the big problems with SNMP is that, if you misconfigure it, people
can do serious stuff to your machine.  In my view, the configuration
for rsyncd is much simpler, and the read-only mechanisms are much more
intuitive.

    Stephen> Could someone who's in the know, make some comments on
    Stephen> SNMP, security wise, and if they find it really useful
    Stephen> for monitor network throughput. I've only just realised
    Stephen> some of it's capabilities. I was previously making sure
    Stephen> it was just another one of those redundant services, that
    Stephen> comes along with your bloated modern linux distribution
    Stephen> that left a port open and you had to turn off/remove.

It is OK for an overview of traffic, but I don't think it's as useful
as proper iptables-based IP accounting for the the details (and
comparing what you think your usage is compare to what your ISP
thinks).

    Stephen> Also, is the SNMP broken in debian woody? I getting
    Stephen> package broken when I try to apt get it... maybe I should
    Stephen> look at the debian site first :)

Not sure about woody, but sid seems fine...

peace & happiness,
martin

More information about the linux mailing list