From patchwork Thu Mar 27 22:45:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Robin Roevens X-Patchwork-Id: 8566 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZNzKP0ZC5z3xF4 for ; Thu, 27 Mar 2025 22:46:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZNzKN6xngz4g7 for ; Thu, 27 Mar 2025 22:46:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZNzKN6D4cz32wg for ; Thu, 27 Mar 2025 22:46:16 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZNzKK6sC1z32bF for ; Thu, 27 Mar 2025 22:46:13 +0000 (UTC) Received: from layka.disroot.org (layka.disroot.org [178.21.23.139]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZNzKK2pl8z62 for ; Thu, 27 Mar 2025 22:46:13 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b="k8KDlxi/"; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1743115573; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=gcASaAIbj7WRsPlduHALXDNJigavXbdKT/XnqNNzfG4=; b=XvcD/yYR5y8Jr+mQCe64mirTBGvhkXdxAaj1CoN+MhcJyQRNdfd2vuXT8uiYUv+ThKtkJa +yvvN3OMgYAmFnvjuLILtyPM1WM8XB2qb7xbl/TQB+3qyrEtCQT8oXvspZgySjWcNCARyL lUzzQF5DgFEs05dQnunzNYXvq5XK08qqMmgLzbI9ohBw6qQP25T9ml6WqLupXapDT6J2nF PDO3eg4eCVYvwnkuiYwO/+vCas3ktP850LhbPjLkvrdeGBwb/iJp8VoqtpN0GS+TbQrcDc CS+xHwAUC6jS/pr39YrKCXTo2PYLa6QbcH8SADXExr/ZrivRrNCG7f01MGLHcQ== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=disroot.org header.s=mail header.b="k8KDlxi/"; spf=pass (mail01.ipfire.org: domain of robin.roevens@disroot.org designates 178.21.23.139 as permitted sender) smtp.mailfrom=robin.roevens@disroot.org; dmarc=pass (policy=reject) header.from=disroot.org ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1743115573; a=rsa-sha256; cv=none; b=LdabQ4/Xv9ezPagVTyL/ciL7TJNeG9DGKPatlU1SWdw9lZ0B27UFGUhR5rkpDNSMGMlWJR q9xqZxljsGLu3zV01rSi42LJyLJGHVkgHIdwKDcdQHjtFFOS0EloEIEhLWrKo/Tg6WH8AK 3wwYAzReDDv3r3t6NPlsovVeLPO+6w6WZ/vBfi+C8nGq1ssX8/kgQWjnKlagGqBidRCK8I jLFkBOLX6fQq4UtZkbj83TytpD2Zk7JmEZa/yHZZNQRp8XGQSlht3HW3G8Qo4jmGQW9n2/ 9tN3sl3adhxpNQRPRgEKxZQkam+3d0fD5+eZ5WfNxav4ngZ5LiQofYOsAgfkIA== Received: from mail01.disroot.lan (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 8BF0E25D5D for ; Thu, 27 Mar 2025 23:46:12 +0100 (CET) X-Virus-Scanned: SPAM Filter at disroot.org Received: from layka.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavis, port 10024) with ESMTP id EKDTe_N2F1w5 for ; Thu, 27 Mar 2025 23:46:12 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1743115571; bh=HHiEDC4yaT2SPgFZkw7wxEi9BuRv3JBtdjgsNagpn24=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=k8KDlxi/uAEB7KTDo2hYPNOiiVimTYwJfRg+agPb4BTdyrvZXECcPboa4cRdA0dGS UuOe9ZzAmwrVGc6AzGy8wmV598o9M8XA/O0LtAKvj16AFy2NgxDdHNBk6phf5ulXpS bb47rCgkXK2zk3dIvs54LdtO0w2uYKJ7pjkNUN+PVJiURjiSSkjMHJX5LA+O5v5Wfq 4jJQMFOTFuYbSHm0HHZc4zCqqqoFJc2wACK1WmN/hupm8spextlrZtfTM9SxxLYeAh sJcm74fEIjt7Sk4gSE5TraJItFbbY8MbZ6LXnZUfvdhvfiA7eLcX7Sl9bHRFQIRRF2 CYs+MOkkbu9aQ== Received: from chojin.roevenslambrechts.be (chojin.roevenslambrechts.be [192.168.0.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (no client certificate requested) (Authenticated sender) by hachiman (MailScanner Milter) with SMTP id 841B630005F; Thu, 27 Mar 2025 23:46:08 +0100 (CET) From: Robin Roevens To: development@lists.ipfire.org Cc: Robin Roevens Subject: [PATCH 2/2] zabbix_agentd: Disable passive checks by default on new installations. Date: Thu, 27 Mar 2025 23:45:52 +0100 Message-ID: <20250327224552.3963717-2-robin.roevens@disroot.org> In-Reply-To: <20250327224552.3963717-1-robin.roevens@disroot.org> References: <20250327224552.3963717-1-robin.roevens@disroot.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 X-RoevensLambrechts-MailScanner-ID: 841B630005F.AD543 X-RoevensLambrechts-MailScanner: Found to be clean X-RoevensLambrechts-MailScanner-From: robin.roevens@disroot.org X-RoevensLambrechts-MailScanner-Watermark: 1743720369.30928@qgd/2XiGpOQ8BTWm/d7dNA X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4ZNzKK2pl8z62 X-Spamd-Result: default: False [-7.52 / 11.00]; REPLY(-4.00)[]; BAYES_HAM(-2.96)[99.83%]; SPF_REPUTATION_SPAM(2.39)[0.796774932676]; R_DKIM_ALLOW(-1.70)[disroot.org:s=mail]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-0.98)[-0.978]; DKIM_REPUTATION(-0.97)[-0.96841169767779]; DMARC_POLICY_ALLOW(-0.50)[disroot.org,reject]; R_MISSING_CHARSET(0.50)[]; R_SPF_ALLOW(-0.20)[+a:c]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; IP_REPUTATION_HAM(-0.00)[asn: 50673(0.00), country: NL(-0.00), ip: 178.21.23.139(0.00)]; FUZZY_RATELIMITED(0.00)[rspamd.com]; ASN(0.00)[asn:50673, ipnet:178.21.23.0/24, country:NL]; ARC_NA(0.00)[]; TO_DN_SOME(0.00)[]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[disroot.org:+]; MISSING_XM_UA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1]; RBL_SENDERSCORE_REPUT_BLOCKED(0.00)[178.21.23.139:from] X-Rspamd-Action: no action Zabbix Agent by default normally forks 10 instances to listen for incoming (passive) checks. I, however, recommend only using active checks on an IPFire instance, so that the agent on the instance will only actively contact the Zabbix server to request a list of checks to perform instead of waiting for the server to contact the agent for every check. This frees up some resources valuable to smaller systems and makes the agent not to listen on any TCP port, which is a possible attack surface less. Users with an existing installation will have to manually add the parameter to their config. This will be documented in the wiki. Signed-off-by: Robin Roevens --- config/zabbix_agentd/zabbix_agentd.conf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/config/zabbix_agentd/zabbix_agentd.conf b/config/zabbix_agentd/zabbix_agentd.conf index 4480e43f2..a5a608d83 100644 --- a/config/zabbix_agentd/zabbix_agentd.conf +++ b/config/zabbix_agentd/zabbix_agentd.conf @@ -13,7 +13,16 @@ Server=127.0.0.1 ServerActive=127.0.0.1 -# List of comma delimited IP addresses that the agent should listen on. +# Number of pre-forked instances of zabbix_agentd that process passive checks. +# On IPFire this is set to 0 to disable passive checks and only allow active +# checks by default. +# Set this value in a range of 1-100 to enable passive checks or comment it +# out to revert to the Zabbix agent default (10). +StartAgents=0 + +# List of comma delimited IP addresses that the agent should listen on +# for passive checks. +# The agent will not listen on any TCP port when StartAgents is set to 0. ListenIP=GREEN_ADDRESS # This line activates IPFire specific userparameters.