New monitoring plugin: check_sftp to monitor SFTP server(s)

Written by - 0 comments

Published on - Listed in Monitoring Linux Network Cloud


It's time to announce a new monitoring plugin: check_sftp. This is a monitoring plugin to check SFTP server(s).

Another check_sftp?

You might ask, why another check_sftp monitoring plugin?

To correctly monitor different kinds of SFTP servers, I created a list of requirements for a SFTP check plugin:

  • Must be able to support password authentication (often used on SFTP/FTP servers for file exchange)
  • Must be able to support key authentication using a private key as SSH identity file
  • Must be able to support encrypted private keys, too
  • Must be able to define a remote directory
  • Must be easy to use and run on many environments without having to install a lot of additional software as dependencies
  • Must run out of the box (without having to manipulate the code) using parameters to fit in depending on the targeted SFTP server

On my research I came across a couple of monitoring plugins which can be used to check a SFTP connection. But let's take a closer look at them.

  • check_sftp.jar (found on Nagios Exchange) is a monitoring plugin from 2012 which runs as a Java application (jar). This involves installing additional software, such as the Java runtime, and is, simply said, overkill.
  • check_sftp.py (found on GitHub) is a Python script written in 2007. This might also be the reason I couldn't get it to run with a recent Python version (3.8). Example error: TypeError: '>=' not supported between instances of 'NoneType' and 'int'. It would have required a lot of effort to fix and update the code. Besides this, the plugin doesn't support password authentication, according to the --help output: password to use (not implemented yet)
  • check_sftp.py (found on Checkmk's Gitlab) is yet another plugin written in Python and made for Checkmk in 2019. It looks more promising and uses the Paramiko Python module to establish a SSH/SFTP session. However as this plugin is part of Checkmk, a standalone usage of this script did not work and would require additional code manipulation.
  • check_sftp.sh (found on GitHub) is a Shell (Bash) script from 2015 which uses hard-coded variables (no input parameters) to establish a password authenticated SFTP connection.

None of these existing plugins would fulfill all of my own requirements. Time to create my own implementation.

SFTP and password/key passphrase in batch-mode: Tricky

But creating my own check_sftp.sh plugin from scratch wasn't as easy as I anticipated. During coding of the plugin I came across several issues. The main issue being that sftp (the command) does not support a password. With a clever workaround this could be solved by using sshpass forwarding a $SSHPASS variable to sftp.

Another problem was also handling private keys as SSH identify file which are encrypted with a passphrase. Similar to the password problem, there is no direct way of reading a passphrase from a submitted parameter (-p passphrase) to unlock a key. This needed to be solved using ssh-agent in the background.

But eventually these problems were all solved and check_sftp was ready.

check_sftp Usage

Now with check_sftp published and ready, the usage is very easy and for most users self explaining. Here are a couple of use cases.

Classic SFTP login with password authentication

By defining a user (-u) and a password (-p), this tells the plugin to switch to password authentication mode:

./check_sftp.sh -H sftp.example.com -u sftpuser -p verysecret
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672123986) into/from remote directory (monitoring) worked.|checktime=0s;;;;

SFTP login using a different port

The plugin also supports connecting to a different port, if SFTP/SSH listens on a different port than the default (default: 22):

./check_sftp.sh -H sftp.example.com -P 2222 -u sftpuser -p verysecret
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672123986) into/from remote directory (monitoring) worked.|checktime=0s;;;;

Using a different remote directory

By default, the plugin uses "monitoring" as remote directory. The plugin will create the remote directory on the SFTP server and upload a temporary file into that directory. Depending on the SFTP user, maybe only a specific directory is writeable. The plugin can be told to use a different remote directory instead by defining the -d parameter:

$ ./check_sftp.sh -H sftp.example.com -u sftpuser -d writedir
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672138346) into/from remote directory (writedir) worked.|checktime=1s;;;;

SFTP check using key authentication

Using a key authentication is much more secure than using password authentication. The plugin supports key authentication, too, by defining a key file with the -i parameter:

./check_sftp.sh -H sftp.example.com -u sftpuser -i ~/.ssh/id_rsa
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672124527) into/from remote directory (monitoring) worked.|checktime=1s;;;;

As you may notice, there was no passphrase required for the key. This could mean that the private key is not encrypted and can be used without unlocking or it could mean that the private key was already added into ssh-agent and is listed under the output of ssh-add -l.

SFTP check with encrypted key

When running check_sftp inside a monitoring solution, such as Nagios or Icinga, the executing user (usually nagios) is usually not running ssh-agent. An encrypted private key therefore needs to be unlocked on the fly with a passphrase. This can be achieved by defining a private key (using -i) and the password parameter (-p). When both -i and -p are used in combination, the plugin knows it needs to unlock the defined private key and add it into a temporary ssh-agent session. 

./check_sftp.sh -H sftp.example.com -u sftpuser -i ~/.ssh/id_rsa -p passphrase
CHECK_SFTP OK: Communication to sftp.example.com worked. Upload, Download and Removal of file (mon.1672124662) into/from remote directory (monitoring) worked.|checktime=1s;;;;

Documentation of check_sftp monitoring plugin

As always, a documentation of the check_sftp monitoring-plugin was created. The documentation contains basic information about the usage but also shows different use case examples and integration into Nagios, Icinga 1, Icinga 2, Shinken and Naemon monitoring software.



Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder