Difference between revisions of "Zabbix encryption"
Jump to navigation
Jump to search
(Created page with "- https://hub.packtpub.com/encrypting-zabbix-traffic/") |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
- https://hub.packtpub.com/encrypting-zabbix-traffic/ | - https://hub.packtpub.com/encrypting-zabbix-traffic/ | ||
| + | |||
| + | Script to gen server agent and update | ||
| + | ``` | ||
| + | #!/usr/bin/env bash | ||
| + | set -ex | ||
| + | ts=$(date "+%Y%m%d-%H%M%S") | ||
| + | dir_zabbix_agent_certs=/etc/ssl/zabbix_agent_certs | ||
| + | dir_zabbix_server_certs=/etc/ssl/zabbix_server_certs | ||
| + | zabbix_agent_config_file=/etc/zabbix/zabbix_agentd.conf | ||
| + | zabbix_server_config_file=/etc/zabbix/zabbix_server.conf | ||
| + | subject="/C=US/ST=Utah/L=South Jordan/O=Insights/OU=Monitor/CN=*.example.com" | ||
| + | # | sed 's/\//\\\//g'A | ||
| + | # dir_zabbix_agent_certs_esc=$(echo $dir_zabbix_agent_certs | sed 's_/_\\/_g') | ||
| + | # exit | ||
| + | |||
| + | rm -rf zabbix_ca | ||
| + | mkdir zabbix_ca | ||
| + | chmod 700 zabbix_ca | ||
| + | cd zabbix_ca | ||
| + | |||
| + | openssl genrsa -aes256 -out zabbix_ca.key 4096 | ||
| + | openssl req -x509 -new -key zabbix_ca.key -sha256 -days 3560 -out zabbix_ca.crt -subj "${subject}" | ||
| + | openssl genrsa -out zabbix_server.key 2048 | ||
| + | openssl req -new -key zabbix_server.key -out zabbix_server.csr -subj "${subject}" | ||
| + | openssl x509 -req -in zabbix_server.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_server.crt -days 1460 -sha256 | ||
| + | openssl genrsa -out zabbix_agent.key 2048 | ||
| + | openssl req -new -key zabbix_agent.key -out zabbix_agent.csr -subj "${subject}" | ||
| + | openssl x509 -req -in zabbix_agent.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_agent.crt -days 1460 -sha256 | ||
| + | |||
| + | mkdir $dir_zabbix_agent_certs || true | ||
| + | chown zabbix $dir_zabbix_agent_certs | ||
| + | chmod 500 $dir_zabbix_agent_certs | ||
| + | cp zabbix_ca.crt $dir_zabbix_agent_certs/ | ||
| + | cp zabbix_agent.crt $dir_zabbix_agent_certs/ | ||
| + | cp zabbix_agent.key $dir_zabbix_agent_certs/ | ||
| + | |||
| + | mkdir $dir_zabbix_server_certs || true | ||
| + | chown zabbix $dir_zabbix_server_certs | ||
| + | chmod 500 $dir_zabbix_server_certs | ||
| + | cp zabbix_ca.crt $dir_zabbix_server_certs/ | ||
| + | cp zabbix_server.crt $dir_zabbix_server_certs/ | ||
| + | cp zabbix_server.key $dir_zabbix_server_certs/ | ||
| + | |||
| + | # edit zabbix_agent2.conf | ||
| + | cp $zabbix_agent_config_file $zabbix_agent_config_file.$ts | ||
| + | # | sed 's/\//\\\//g'A | ||
| + | dir_zabbix_agent_certs_esc=$(echo $dir_zabbix_agent_certs | sed 's_/_\\/_g') | ||
| + | sudo sed -i "s/^\(# \|\)TLSAccept=.*/TLSAccept=cert/g" $zabbix_agent_config_file | ||
| + | sudo sed -i "s/^\(# \|\)TLSConnect=.*/TLSConnect=unencrypted/g" $zabbix_agent_config_file | ||
| + | sudo sed -i "s/^\(# \|\)TLSCAFile=.*/TLSCAFile=$dir_zabbix_agent_certs_esc\/zabbix_ca.crt/g" $zabbix_agent_config_file | ||
| + | sudo sed -i "s/^\(# \|\)TLSCertFile=.*/TLSCertFile=$dir_zabbix_agent_certs_esc\/zabbix_agent.crt/g" $zabbix_agent_config_file | ||
| + | sudo sed -i "s/^\(# \|\)TLSKeyFile=.*/TLSKeyFile=$dir_zabbix_agent_certs_esc\/zabbix_agent.key/g" $zabbix_agent_config_file | ||
| + | exit | ||
| + | |||
| + | |||
| + | # edit zabbix_server.conf | ||
| + | dir_zabbix_server_certs_esc=$(echo $dir_zabbix_server_certs | sed 's_/_\\/_g') | ||
| + | cp $zabbix_server_config_file $zabbix_server_config_file.$ts | ||
| + | sudo sed -i "s/^\(# \|\)TLSCAFile=.*/TLSCAFile=$dir_zabbix_server_certs_esc\/zabbix_ca.crt/g" $zabbix_server_config_file | ||
| + | sudo sed -i "s/^\(# \|\)TLSCertFile=.*/TLSCertFile=$dir_zabbix_server_certs_esc\/zabbix_server.crt/g" $zabbix_server_config_file | ||
| + | sudo sed -i "s/^\(# \|\)TLSKeyFile=.*/TLSKeyFile=$dir_zabbix_server_certs_esc\/zabbix_server.key/g" $zabbix_server_config_file | ||
| + | |||
| + | # # TLSAccept=cert, unencrypted | ||
| + | # TLSAccept=cert | ||
| + | # TLSConnect=unencrypted | ||
| + | # TLSCAFile=/path/to/zabbix_agent_certs/zabbix_ca.crt | ||
| + | # TLSCertFile=/path/to/zabbix_agent_certs/zabbix_agent.crt | ||
| + | # TLSKeyFile=/path/to/zabbix_agent_certs/zabbix_agent.key | ||
| + | |||
| + | # edit zabbix_server.conf | ||
| + | # TLSCAFile=/path/to/zabbix_server_certs/zabbix_ca.crt | ||
| + | # TLSCertFile=/path/to/zabbix_server_certs/zabbix_server.crt | ||
| + | # TLSKeyFile=/path/to/zabbix_server_certs/zabbix_server.ke | ||
| + | ``` | ||
Latest revision as of 18:38, 22 October 2021
Script to gen server agent and update
#!/usr/bin/env bash
set -ex
ts=$(date "+%Y%m%d-%H%M%S")
dir_zabbix_agent_certs=/etc/ssl/zabbix_agent_certs
dir_zabbix_server_certs=/etc/ssl/zabbix_server_certs
zabbix_agent_config_file=/etc/zabbix/zabbix_agentd.conf
zabbix_server_config_file=/etc/zabbix/zabbix_server.conf
subject="/C=US/ST=Utah/L=South Jordan/O=Insights/OU=Monitor/CN=*.example.com"
# | sed 's/\//\\\//g'A
# dir_zabbix_agent_certs_esc=$(echo $dir_zabbix_agent_certs | sed 's_/_\\/_g')
# exit
rm -rf zabbix_ca
mkdir zabbix_ca
chmod 700 zabbix_ca
cd zabbix_ca
openssl genrsa -aes256 -out zabbix_ca.key 4096
openssl req -x509 -new -key zabbix_ca.key -sha256 -days 3560 -out zabbix_ca.crt -subj "${subject}"
openssl genrsa -out zabbix_server.key 2048
openssl req -new -key zabbix_server.key -out zabbix_server.csr -subj "${subject}"
openssl x509 -req -in zabbix_server.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_server.crt -days 1460 -sha256
openssl genrsa -out zabbix_agent.key 2048
openssl req -new -key zabbix_agent.key -out zabbix_agent.csr -subj "${subject}"
openssl x509 -req -in zabbix_agent.csr -CA zabbix_ca.crt -CAkey zabbix_ca.key -CAcreateserial -out zabbix_agent.crt -days 1460 -sha256
mkdir $dir_zabbix_agent_certs || true
chown zabbix $dir_zabbix_agent_certs
chmod 500 $dir_zabbix_agent_certs
cp zabbix_ca.crt $dir_zabbix_agent_certs/
cp zabbix_agent.crt $dir_zabbix_agent_certs/
cp zabbix_agent.key $dir_zabbix_agent_certs/
mkdir $dir_zabbix_server_certs || true
chown zabbix $dir_zabbix_server_certs
chmod 500 $dir_zabbix_server_certs
cp zabbix_ca.crt $dir_zabbix_server_certs/
cp zabbix_server.crt $dir_zabbix_server_certs/
cp zabbix_server.key $dir_zabbix_server_certs/
# edit zabbix_agent2.conf
cp $zabbix_agent_config_file $zabbix_agent_config_file.$ts
# | sed 's/\//\\\//g'A
dir_zabbix_agent_certs_esc=$(echo $dir_zabbix_agent_certs | sed 's_/_\\/_g')
sudo sed -i "s/^\(# \|\)TLSAccept=.*/TLSAccept=cert/g" $zabbix_agent_config_file
sudo sed -i "s/^\(# \|\)TLSConnect=.*/TLSConnect=unencrypted/g" $zabbix_agent_config_file
sudo sed -i "s/^\(# \|\)TLSCAFile=.*/TLSCAFile=$dir_zabbix_agent_certs_esc\/zabbix_ca.crt/g" $zabbix_agent_config_file
sudo sed -i "s/^\(# \|\)TLSCertFile=.*/TLSCertFile=$dir_zabbix_agent_certs_esc\/zabbix_agent.crt/g" $zabbix_agent_config_file
sudo sed -i "s/^\(# \|\)TLSKeyFile=.*/TLSKeyFile=$dir_zabbix_agent_certs_esc\/zabbix_agent.key/g" $zabbix_agent_config_file
exit
# edit zabbix_server.conf
dir_zabbix_server_certs_esc=$(echo $dir_zabbix_server_certs | sed 's_/_\\/_g')
cp $zabbix_server_config_file $zabbix_server_config_file.$ts
sudo sed -i "s/^\(# \|\)TLSCAFile=.*/TLSCAFile=$dir_zabbix_server_certs_esc\/zabbix_ca.crt/g" $zabbix_server_config_file
sudo sed -i "s/^\(# \|\)TLSCertFile=.*/TLSCertFile=$dir_zabbix_server_certs_esc\/zabbix_server.crt/g" $zabbix_server_config_file
sudo sed -i "s/^\(# \|\)TLSKeyFile=.*/TLSKeyFile=$dir_zabbix_server_certs_esc\/zabbix_server.key/g" $zabbix_server_config_file
# # TLSAccept=cert, unencrypted
# TLSAccept=cert
# TLSConnect=unencrypted
# TLSCAFile=/path/to/zabbix_agent_certs/zabbix_ca.crt
# TLSCertFile=/path/to/zabbix_agent_certs/zabbix_agent.crt
# TLSKeyFile=/path/to/zabbix_agent_certs/zabbix_agent.key
# edit zabbix_server.conf
# TLSCAFile=/path/to/zabbix_server_certs/zabbix_ca.crt
# TLSCertFile=/path/to/zabbix_server_certs/zabbix_server.crt
# TLSKeyFile=/path/to/zabbix_server_certs/zabbix_server.ke