check_openvpn: Update to 20151106
This commit is contained in:
parent
3155447fb2
commit
7eb6cc05d9
|
|
@ -2,9 +2,9 @@
|
|||
|
||||
# Check if an OpenVPN server runs on a given UDP port.
|
||||
#
|
||||
# Copyright 2013 Roland Wolters, credativ GmbH
|
||||
# Copyright 2013 Roland Wolters
|
||||
#
|
||||
# Version 20130904
|
||||
# Version 20151106
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining
|
||||
# a copy of this software and associated documentation files (the
|
||||
|
|
@ -25,62 +25,145 @@
|
|||
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
|
||||
import sys
|
||||
import os
|
||||
import time
|
||||
import hmac
|
||||
import hashlib
|
||||
import struct
|
||||
import socket
|
||||
import argparse
|
||||
import binascii
|
||||
|
||||
HMAC_CLIENT_KEY_START = 192
|
||||
BUFFER_SIZE = 1024
|
||||
|
||||
def ok(msg):
|
||||
print "OK: %s" % msg
|
||||
sys.exit(0)
|
||||
print 'OK: %s' % msg
|
||||
return 0
|
||||
|
||||
def critical(msg):
|
||||
print "CRIT: %s" % msg
|
||||
sys.exit(2)
|
||||
print 'CRIT: %s' % msg
|
||||
return 2
|
||||
|
||||
def checkserver(host,port,proto):
|
||||
byte_stream = "\x38\x01\x00\x00\x00\x00\x00\x00\x00"
|
||||
def buildpacket(tcp, key, digestmod):
|
||||
packet = 1
|
||||
ts = int(time.time())
|
||||
session = os.urandom(8)
|
||||
|
||||
if key:
|
||||
# hmac
|
||||
h = hmac.new(key, digestmod=digestmod)
|
||||
h.update(struct.pack('>I', packet)) # packet id
|
||||
h.update(struct.pack('>I', ts)) # net time
|
||||
h.update('\x38') # type
|
||||
h.update(session) # session id
|
||||
h.update(struct.pack('>B', 0)) # message packet id array length
|
||||
h.update(struct.pack('>I', 0)) # message packet id
|
||||
|
||||
# packet
|
||||
result = ''
|
||||
result += '\x38' # type
|
||||
result += session # session id
|
||||
if key: result += h.digest() # hmac
|
||||
result += struct.pack('>I', packet) # packet id
|
||||
result += struct.pack('>I', ts) # net time
|
||||
result += struct.pack('>B', 0) # message packet id array length
|
||||
result += struct.pack('>I', 0) # message packet id
|
||||
if tcp: result = struct.pack('>H', len(result)) + result
|
||||
return result
|
||||
|
||||
if proto:
|
||||
ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
else:
|
||||
ovpn_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
|
||||
ovpn_sock.settimeout(5)
|
||||
def checkserver(host, port, tcp, timeout, key, digest):
|
||||
packet = buildpacket(tcp, key, digest)
|
||||
if tcp: checkserver_tcp(host, port, timeout, packet)
|
||||
else: checkserver_udp(host, port, timeout, packet)
|
||||
|
||||
def checkserver_udp(host, port, timeout, packet):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
|
||||
s.settimeout(timeout)
|
||||
|
||||
try:
|
||||
ovpn_sock.connect((host, port))
|
||||
ovpn_sock.sendto(byte_stream, (host, port))
|
||||
data, addr = ovpn_sock.recvfrom(1024) # buffer size is 1024 bytes
|
||||
s.sendto(packet, (host, port))
|
||||
data, _ = s.recvfrom(BUFFER_SIZE)
|
||||
reply = binascii.hexlify(data)
|
||||
if proto:
|
||||
ok("OpenVPN tcp port reachable.")
|
||||
else:
|
||||
ok("OpenVPN server response (hex): %s" % reply)
|
||||
except socket.timeout:
|
||||
critical("Request timed out")
|
||||
ovpn_sock.close()
|
||||
except (socket.error, Exception):
|
||||
critical("OpenVPN server not responding")
|
||||
ovpn_sock.close()
|
||||
return ok('OpenVPN UDP server response (hex): %s' % reply)
|
||||
except:
|
||||
return critical('OpenVPN UDP server not responding')
|
||||
finally:
|
||||
s.close()
|
||||
|
||||
ovpn_sock.close()
|
||||
return data
|
||||
def checkserver_tcp(host, port, timeout, packet):
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.settimeout(timeout)
|
||||
|
||||
try:
|
||||
s.connect((host, port))
|
||||
s.send(packet)
|
||||
data = s.recv(BUFFER_SIZE)
|
||||
if len(data) <= 0: raise RuntimeError
|
||||
reply = binascii.hexlify(data)
|
||||
return ok('OpenVPN TCP server response (hex): %s' % reply)
|
||||
except:
|
||||
return critical('OpenVPN TCP server not responding')
|
||||
finally:
|
||||
s.close()
|
||||
|
||||
def optionsparser():
|
||||
def readkey(path):
|
||||
key = None
|
||||
try:
|
||||
with open(path, 'r') as myfile: key = myfile.read()
|
||||
except:
|
||||
return None
|
||||
index_start = key.find('-\n');
|
||||
index_end = key.find('\n-', index_start);
|
||||
if index_start < 0 or index_end < 0 or index_end <= index_start:
|
||||
return None
|
||||
index_start += 2
|
||||
key = key[index_start:index_end].replace('\n', '').replace('\r', '')
|
||||
return key
|
||||
|
||||
def optionsparser(args=None):
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-p","--port", help="set port number",
|
||||
type=int, dest="port", default="1194")
|
||||
parser.add_argument("-t","--tcp", help="use tcp instead of udp",
|
||||
action="store_true")
|
||||
parser.add_argument("host", type=str, help="the OpenVPN host name or ip")
|
||||
return parser.parse_args()
|
||||
parser.add_argument('-p', '--port', help='set port number (default is %%default)', type=int, dest='port', default='1194')
|
||||
parser.add_argument('-t', '--tcp', help='use tcp instead of udp', action='store_true')
|
||||
parser.add_argument('--timeout', help='set timeout (default is %%default)', type=int, default='5')
|
||||
parser.add_argument('--digest', help='set HMAC digest (default is %%default)', type=str, default='sha1')
|
||||
parser.add_argument('--digest-size', help='set HMAC digest size', type=int)
|
||||
parser.add_argument('--digest-key', help='set HMAC key', type=str, default=None)
|
||||
parser.add_argument('--tls-auth', help='set tls-auth file', type=str, default=None)
|
||||
parser.add_argument('host', type=str, help='the OpenVPN host name or ip')
|
||||
return parser.parse_args(args)
|
||||
|
||||
def main():
|
||||
arguments = optionsparser()
|
||||
args = optionsparser()
|
||||
|
||||
if args.digest_size and args.digest_size < 0:
|
||||
critical('digest size must be positive')
|
||||
if args.tls_auth and args.digest_key:
|
||||
critical('--tls-auth cannot go with --digest-key')
|
||||
|
||||
key = args.digest_key
|
||||
digest = args.digest
|
||||
digest_size = args.digest_size
|
||||
|
||||
digest = digest.lower()
|
||||
if digest not in hashlib.algorithms:
|
||||
return critical('digest not available')
|
||||
try:
|
||||
digest = getattr(hashlib, digest)
|
||||
if not digest_size: digest_size = digest().digest_size
|
||||
except:
|
||||
return critical('digest creation failed')
|
||||
|
||||
if args.tls_auth:
|
||||
key = readkey(args.tls_auth)
|
||||
if key == None: return critical('cannot read tls auth file')
|
||||
index_start = HMAC_CLIENT_KEY_START * 2
|
||||
index_end = (HMAC_CLIENT_KEY_START + digest_size) * 2
|
||||
key = key[index_start:index_end]
|
||||
|
||||
if key: key = binascii.unhexlify(key)
|
||||
|
||||
return checkserver(args.host, args.port, args.tcp, args.timeout, key, digest)
|
||||
|
||||
data = checkserver(arguments.host,arguments.port,arguments.tcp)
|
||||
|
||||
if __name__ == "__main__":
|
||||
if __name__ == '__main__':
|
||||
main()
|
||||
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
Homepage: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn
|
||||
Watch: https://raw.github.com/liquidat/nagios-icinga-checks/master/check_openvpn Version\ ([0-9.]+)
|
||||
Recommends: libpython-stdlib
|
||||
Version: 20130904
|
||||
Version: 20151106
|
||||
Uploaders: Jan Wagner <waja@cyconet.org>
|
||||
Description: plugin to check if an OpenVPN server runs on a given port
|
||||
|
|
|
|||
Loading…
Reference in a new issue