Are my servers available to people on Internet? ----------------------------------------------- 2002-09-02 Dobrica Pavlinusic That same question bothered me for a long time. My situation is not unique: Internet <--> DMZ <--> internal network and server running mon I could check servers which are on my internal network, in DMZ or on Internet, but none of that checks actually helped me to know if external user somewhere on Internet could reach my services. After a while, I developed several methods for answering my question: 1. test if internal services are available 2. test outside IP addresses (which are unavailable from internal network directly) using socks proxy located in DMZ (using socksch.monitor for that) 3. install probes on various hosts on Internet which try to connect to my services and report success or failures. While first approach is required and second one is good good (and it doesn't hurt to check it), third one is really "Joe surfer" experience. So, let's see how to setup such a thing... Typical example of such probe is: ----- webmail.cgi ----- #!/bin/sh echo Content-type: text/plain echo exec wget -O /dev/null http://webmail.foo.bar 2>&1 ----------------------- What would I get if I tried to access webmail.cgi URI? Well, I would get output of wget which (if successful) would say that it saved page to /dev/null. I will use that to check if service is available using monitor lwp-http.mon -d /~dpavlin/test/webmail.cgi -r '(saved|302 Found)' I'm adding "302 Found" to valid regex so that I can accept redirects to secure http servers (https) with wget without ssl support. Now that I solved that, all I had to do is to sit and wait if my probes are working. However, soon one of my "probe servers" on Internet failed and I got numerous alerts because one server, outside my responsibility, wasn't available. What now? I decided to add multiple probe servers on Internet for same service and to modify some mon monitors to return success if at least one of those servers is available. At this moment, that new option (-o) is available in: lwp-http.mon anon_ftp.mon [It's implemented in anon_ftp.mon because anonymous ftp servers report error if there is too much users connected at the same time, and that doesn't actually mean that the server is not working]. So, I have following architecture: Internet DMZ internal network host A [webmail.cgi]----+ >--------o------------------ mon host host B [webmail.cgi]----+ This way, one of hosts can fail and if other one responds, I'm still safe.