NRPE upgrade from 2.15 to 3.20 and SSL

NMFSTeam · Post by **NMFSTeam** » Wed Aug 30, 2017 5:02 pm

We have a CentOS 6 server running Nagios XI 5.4.8. We are using NRPE on some remote Linux servers (clients) so that the Nagios XI server can monitor things. We recently upgraded the clients from NRPE 2.15 to 3.20 (compiled from source). We would like to begin hardening the SSL settings on the clients, as they are showing as being vulnerable using our security tool (things like "SSL Medium Strength Cipher Suites Supported"). When we tried enabling the SSL settings in the nrpe.cfg file on the clients, the Nagios XI server is no longer able to establish a connection ("CHECK_NRPE: Error - Could not complete SSL handshake."). Perhaps we need to update NRPE on the Nagios XI server itself? Also, do we need to update the plugins, either on the clients, or the Nagios XI server? And what are the recommended SSL settings for the nrpe.cfg file? We were going to set it to use TLS 1.1 (or higher), and set the list of allowed ciphers (as strict as possible).

All client machines are running RHEL7 or CentOS 7.

Thanks,

Post by **tgriep** » Thu Aug 31, 2017 12:23 pm

To get enhanced security when using the NRPE Agent, you will have to upgrade the check_nrpe plugin on the Nagios server and configure it to use the SSL settings / certs you have configured on the remote servers.
Take a look at this KB article for instructions / examples.
https://support.nagios.com/kb/article/n ... urity.html

You do not need to update the NRPE Agent on the XI server but the plugin.

One thing, it you are running both old and new NRPE Agents on the remote hosts, you may want to create a new check_nrpe command on the XI server and use that for the new hosts which will keep the existing installations working.
https://support.nagios.com/kb/article/n ... sions.html

The rest of the plugins on the XI server and the remote hosts can stay the same and do not need to be upgraded.

NMFSTeam · Post by **NMFSTeam** » Fri Sep 08, 2017 12:56 pm

Great, thank you very much! We'll give this a shot.

scottwilkerson · Post by **scottwilkerson** » Fri Sep 08, 2017 1:22 pm

mblower wrote:Great, thank you very much! We'll give this a shot.

Let us know if you have continued issues

NMFSTeam · Post by **NMFSTeam** » Mon Sep 11, 2017 1:30 pm

To upgrade the check_nrpe plugin on the Nagios XI server, can we simply copy the check_nrpe file from one of the recently updated remote hosts (clients) and replace it on the Nagios XI server? On the clients, the check_nrpe file is located in: /usr/local/nagios/libexec/

Thanks.

scottwilkerson · Post by **scottwilkerson** » Mon Sep 11, 2017 4:19 pm

mblower wrote:To upgrade the check_nrpe plugin on the Nagios XI server, can we simply copy the check_nrpe file from one of the recently updated remote hosts (clients) and replace it on the Nagios XI server? On the clients, the check_nrpe file is located in: /usr/local/nagios/libexec/

Thanks.

They should work interchangably, however if the systems are the same, you may be able to just copy the plugin over... I would make a backup of the original check_nrpe on your XI system first

NMFSTeam · Post by **NMFSTeam** » Thu Oct 19, 2017 12:17 pm

Ok, so I have been able to get the Nagios XI server to talk to a client machine (check_nrpe) using SSL, on the command line. How do I then translate this to the checks that Nagios XI is performing on a myriad of hosts? Do I have to go in to each service (web interface), re-configure, and change the "Monitor the service with this command" field? If so, what do I change it to? For instance, a "Memory Usage" check currently has the following in the field: check_nrpe!check_mem!-a '-w 20 -c 10'

From the Nagios XI server command line, the following command works: /usr/local/nagios/libexec/check_nrpe -f /usr/local/nagios/etc/check_nrpe.config -H 192.168.0.15

Please advise.

Thanks!

dwasswa · Post by **dwasswa** » Thu Oct 19, 2017 2:04 pm

Hi

The answer is yes,you have to go in to each service (web interface), re-configure, and change the "Monitor the service with this command" field.

If you have a lot of host and services to reconfigure,here are a few option:

1.Create a template you can use.

2.You can use bulk modification tool.The bulk modification tool easily lets you modify everything at once.
Here is a tutorial on how to use that..Core Config Manager - Bulk Modification Tool

Let us know if you have any questions.

NMFSTeam · Post by **NMFSTeam** » Thu Oct 19, 2017 5:01 pm

Ok, bulk modification tool sounds like a plan. Or a template going forward. Good suggestions, thank you! I think I have figured out the syntax of the command, I am using this and it seems to be working: check_nrpe!check_mem!-f /usr/local/nagios/etc/check_nrpe.config -a '-w 20 -c 10'

dwasswa · Post by **dwasswa** » Fri Oct 20, 2017 11:50 am

Hi @ mblower,

We are glad everything worked out for.

I will now close this thread as resolved.

If you have any questions,please open a new thread and we will be more than happy to help.

Thank you for using Nagios Support Forum.

Nagios Support Forum

NRPE upgrade from 2.15 to 3.20 and SSL

NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL

Re: NRPE upgrade from 2.15 to 3.20 and SSL