A Rule Engine for State and Event Monitoring     










Get NodeBrain at Fast, secure and Free Open Source software downloads

Bug Reports

NodeBrain Over an SSH Tunnel

You can provide an extra layer of security by running NodeBrain peer-to-peer communication over a secure tunnel. The idea here is to establish an encrypted tunnel between two systems using a form of authentication and encryption that is already trusted and approved in your environment. The tunnel can be configured to listen only for local connections on system A and forward these connections to a NodeBrain agent at the other end of the tunnel on system B. On system B, you can configure NodeBrain to only accept connections from the local host. This way, you will not expose the NodeBrain service to attack from systems other than A and B. (Additional tunnels can be established for other trusted hosts.)

A tunnel can be established from portA on hostA to portB on hostB by executing the following command on hostA.

    ssh -2 -f -N -L portA:localhost:portB hostB
On host A, you specify the host B agent as follows. Notice we are defining it as the local end of the SSH tunnel.
    declare brainB brain identityB@localhost:portA;
On host B, the agent is configured to listen only to the loop back address, which will be used by B's end of the tunnel.
    define ear listener type="NBP",address="localhost",port=portB;

In a configuration like this, NodeBrain is unaware of the tunnel and authenticates peers as if the tunnel didn't exist. This is appropriate since the SSH tunnel doesn't know the identity or permissions of individual user's on system A that may attempt a connection to the agent on system B.

There are several variations of this scenario that you can explore by studying the ssh documentation. For example, you may want to open portA to remote hosts using the -g option if the purpose of the tunnel is to get through a firewall. Or you could put both ends of the tunnel on a dual homed host to provide a gateway to a NodeBrain agent listening for remote connections on one side of the gateway.

Copyright © 2015