I can't understand how nrpe 2.16 should be installed

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

I can't understand how nrpe 2.16 should be installed

Post by nihvel »

Seems that nrpe 2.16's got a better ssl support.

Ubuntu Server 14.04.03
I downloaded the zip from https://github.com/NagiosEnterprises/nr ... e-2-16-RC2 and manually copied what's inside into a new nagios server test machine.
So:

Code: Select all

root@nagios02:/home/user/downloads/nrpe-2-16rc2# ./configure --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu

and edited vi /usr/local/nagios/etc/nrpe.cfg to:

Code: Select all

# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.

# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
#        TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.

ssl_version=TLSv1.2+

# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.

#ssl_use_adh=1

# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something something else in a later version of NRPE.

ssl_cipher_list=ALL:!MD5:@STRENGTH

# SSL Certificate and Private Key Files

#ssl_cacert_file=/usr/local/nagios/com/ssl/ca-cert.pem
#ssl_cert_file=/usr/local/nagios/com/ssl/nagios-cert.pem
#ssl_privatekey_file=/usr/local/nagios/com/ssl/nagios-key.pem


# SSL CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
#         1 = Ask for client certificates
#         2 = Require client certificates

#ssl_client_certs=0

# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.

# Values: 0x00 (0)  = No additional logging (default)
#         0x01 (1)  = Log startup SSL/TLS parameters
#         0x02 (2)  = Log remote IP address
#         0x04 (4)  = Log SSL/TLS version of connections
#         0x08 (8)  = Log which cipher is being used for the connection
#         0x10 (16) = Log if client has a certificate
#         0x20 (32) = Log details of client's certificate if it has one
#         -1 or 0xff or 0x2f = All of the above

ssl_logging=0
If something is wrong please correct me :?

Now, what and how should I install the nrpe-server on a client-testing machine?
Should I use this same version? How should I configure it then?
Really, there's no documentation anywhere and the readme file inside the zip says anything. Just a copy/paste of files from years ago. Which as well say anything too.

Edit: using code and not quote
Last edited by nihvel on Mon Dec 14, 2015 10:31 am, edited 1 time in total.
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by hsmith »

I assume you never compiled it then? What you downloaded was the source code.

Take a look at this: https://assets.nagios.com/downloads/nag ... ios-XI.pdf

I have to warn you 2.16 isn't officially released yet, so we can't guarantee functionality from a support standpoint.
Former Nagios Employee.
me.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

hsmith wrote:I assume you never compiled it then? What you downloaded was the source code.

Take a look at this: https://assets.nagios.com/downloads/nag ... ios-XI.pdf

I have to warn you 2.16 isn't officially released yet, so we can't guarantee functionality from a support standpoint.
Thanks! so fast.
Actually yes, I followed this instruction on another test-client while testing nrpe 2.15 (which later I discovered the poor ssl support) and in that case the issue was that:

Code: Select all

netstat -at | grep nrpe 
was empty. I mean, no service running and obviously the service nagios-nrpe-server works when installing nrpe using apt-get install nagios-nrpe-server.

I probably have worked too much today and I can't find how simply it is. But believe me that I only see a mess at this moment :/
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by hsmith »

The netstat should be empty if you're following those instructions. It doesn't install as a daemon, it installs running under xinetd. You'll want to netstat and grep for xinetd.
Former Nagios Employee.
me.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

OK well this is true, didn't think of it. I'm going to setup another vm and see if I can get things running.
I'll be trying both nrpe 2.15 and 2.16, I really appreciate your warning about 2.16 but I need to test and give results to colleague and see if we can agree on a solution with nagios or change product. We need a strong encryption.
thanks again! I'll be updating here if you don't mind
User avatar
hsmith
Agent Smith
Posts: 3539
Joined: Thu Jul 30, 2015 11:09 am
Location: 127.0.0.1
Contact:

Re: I can't understand how nrpe 2.16 should be installed

Post by hsmith »

Let us know what you come up with, always happy to help, and hopefully you stick with us! :)
Former Nagios Employee.
me.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

It's all about who offer the best encryption at a reasonable cost, at the moment with nagios core I've got the best cost ever (free) and the worst encryption, but this is about nrpe 2.15.
Which yes, I ran tests again and I can't make the client reply with ssl. Nevermind, I know that even if I'd make it it's probably not good for my company needs.

That's why I'm more into the nrpe 2.16rc2.
aaaand yes, I compiled using:

Code: Select all

useradd banana
groupadd bananagrp
usermod -a -G bananagrp banana
passwd banana
[...]
apt-get install build-essential openssl libssl-dev xinetd unzip libsys-statistics-linux-perl -y
[ cd ../nagios-plugins-2-11 ]
./configure --with-nagios-user=banana --with-nagios-group=bananagrp --with-openssl
[ cd ../nrpe-2-16 ]
./configure --with-nrpe-user=banana --with-nrpe-group=bananagrp --with-nagios-user=banana --with-nagios-group=bananagrp --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
Both are running under xinetd:

Code: Select all

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags           = REUSE
        socket_type     = stream
        port            = 5666
        wait            = no
        user            = nagios
        group           = nagios
        server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = 127.0.0.1 192.168.10.215
}
The client is the same except for the user and group, which is banana.

Nrpe.cfg Server

Code: Select all

log_facility=daemon
pid_file=/var/run/nrpe.pid
server_port=5666
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1
dont_blame_nrpe=0
allow_bash_command_substitution=0
debug=0
command_timeout=60
connection_timeout=300

# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.

# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
#        TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.

ssl_version=TLSv1.2+

# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.

#ssl_use_adh=1

# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something something else in a later version of NRPE.

ssl_cipher_list=ALL:!MD5:@STRENGTH

# SSL Certificate and Private Key Files

#ssl_cacert_file=/usr/local/nagios/com/ssl/ca-cert.pem
#ssl_cert_file=/usr/local/nagios/com/ssl/nagios-cert.pem
#ssl_privatekey_file=/usr/local/nagios/com/ssl/nagios-key.pem


# SSL CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
#         1 = Ask for client certificates
#         2 = Require client certificates

#ssl_client_certs=0

# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.

# Values: 0x00 (0)  = No additional logging (default)
#         0x01 (1)  = Log startup SSL/TLS parameters
#         0x02 (2)  = Log remote IP address
#         0x04 (4)  = Log SSL/TLS version of connections
#         0x08 (8)  = Log which cipher is being used for the connection
#         0x10 (16) = Log if client has a certificate
#         0x20 (32) = Log details of client's certificate if it has one
#         -1 or 0xff or 0x2f = All of the above

ssl_logging=0
nrpe.cfg Client:

Code: Select all

log_facility=daemon
pid_file=/var/run/nrpe.pid
server_port=5666
nrpe_user=banana
nrpe_group=bananagrp
allowed_hosts=127.0.0.1
dont_blame_nrpe=0
allow_bash_command_substitution=0
debug=0
command_timeout=60
connection_timeout=300

# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.

# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
#        SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
#        TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
#        TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
#        TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.

ssl_version=TLSv1.2+

# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.

#ssl_use_adh=1

# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something something else in a later version of NRPE.

ssl_cipher_list=ALL:!MD5:@STRENGTH

# SSL Certificate and Private Key Files

#ssl_cacert_file=/usr/local/nagios/com/ssl/ca-cert.pem
#ssl_cert_file=/usr/local/nagios/com/ssl/nagios-cert.pem
#ssl_privatekey_file=/usr/local/nagios/com/ssl/nagios-key.pem

# SSL CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
#         1 = Ask for client certificates
#         2 = Require client certificates

#ssl_client_certs=0

# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.

# Values: 0x00 (0)  = No additional logging (default)
#         0x01 (1)  = Log startup SSL/TLS parameters
#         0x02 (2)  = Log remote IP address
#         0x04 (4)  = Log SSL/TLS version of connections
#         0x08 (8)  = Log which cipher is being used for the connection
#         0x10 (16) = Log if client has a certificate
#         0x20 (32) = Log details of client's certificate if it has one
#         -1 or 0xff or 0x2f = All of the above
#ssl_logging=0

command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200 
command[check_ssh]=/usr/local/nagios/libexec/check_ssh 127.0.0.1
command[check_disk]=/usr/local/nagios/libexec/check_linux_stats.pl -D -w 10 -c 5 -p /,/home,/var -u %
command[check_load]=/usr/local/nagios/libexec/check_linux_stats.pl -L -w 10,8,5 -c 20,18,15
command[check_mem]=/usr/local/nagios/libexec/check_linux_stats.pl -M -w 100,25 -c 100,50
command[check_cpu]=/usr/local/nagios/libexec/check_linux_stats.pl -C -w 99 -c 100 -s 5
command[check_open_file]=/usr/local/nagios/libexec/check_linux_stats.pl -F -w 10000,250000 -c 15000,350000
command[check_io]=/usr/local/nagios/libexec/check_linux_stats.pl -I -w 2000,600 -c 3000,800 -p sda1,sda3,sda4 -s 5
command[check_procs]=/usr/local/nagios/libexec/check_linux_stats.pl -P -w 1000 -c 2000
command[check_net]=/usr/local/nagios/libexec/check_linux_stats.pl -N -w 1000000 -c 1500000 -p eth0 -s 5
command[check_socket]=/usr/local/nagios/libexec/check_linux_stats.pl -S -w 500 -c 1000
command[check_uptime]=/usr/local/nagios/libexec/check_linux_stats.pl -U -w 5
command[check_ctxt]=/usr/local/nagios/libexec/check_linux_stats.pl -X -w 6000 -c 70000 -s 2
Server send command using TlSv1.2
Client respond in TCP, plain text


I'm trying to upload screenshot now, will be editing in a few minutes
Edit: added screenshot
192.168.10.215 is the server, 219 the client.
I can see that the client respond to request through port 5666 (true) but without ssl.
Can you tell me if there is something wrong in my configuration?
I'll much appreciate! Thank you


EDIT2:
I'm using VMs through virtual box and vmplayer.. and probably the issue is here.. I'm running test on phisical or esxi machines and I'll see..

EDIT3:
I can confirm that there is no ssl encryption, using this configuration, between server and client. And this time I tested in a real testing environment/ pre production.
Now I'm trying using the certificates.. and I'll see

EDIT4:
With the certificates seems that nothing's changed and as a plus I no longer see TLSv1.2 but only tcp packets (probably that TLSv1.2 I was seeing before was the apache2 certificate).

Same question I asked previously, is my conf. good? (I mean, if it does not work of course it is not good) how should I fix or add the encryption?
Attachments
sreen1.PNG
jfrickson

Re: I can't understand how nrpe 2.16 should be installed

Post by jfrickson »

Your nrpe.cfg looks fine. It should talk to an older check_nrpe or a 2.16 check_nrpe.

If you want to change any of the default setting on check_nrpe, it's done using command line arguments, not a config file.

There should be a `README.SSL.md` in the zip you downloaded that explains all the new SSL stuff.
jfrickson

Re: I can't understand how nrpe 2.16 should be installed

Post by jfrickson »

Also, remember that check_nrpe runs on the machine running nagios, and nrpe is on the other machines. So client & server are kind of reversed here.

You might want to enable logging on both ends so you can see what's going on. In nrpe.cfg use ssl_logging=0x2f and your check_nrpe command line should include -s 0x2f.
nihvel
Posts: 24
Joined: Fri Dec 11, 2015 9:10 am

Re: I can't understand how nrpe 2.16 should be installed

Post by nihvel »

jfrickson wrote:Your nrpe.cfg looks fine. It should talk to an older check_nrpe or a 2.16 check_nrpe.

If you want to change any of the default setting on check_nrpe, it's done using command line arguments, not a config file.

There should be a `README.SSL.md` in the zip you downloaded that explains all the new SSL stuff.
Yes it's been 2 days I'm reading that file, directly from github and this is how discovered about v. 2.16.
However I followed everything and the communication works, everything works, but I am not able to really test if I am or I am not using encryption. Just because my only tool is wireshark and what I see is there's no encryption.
It was late when I started checking with logging enabled and I closed. I'll be trying again tomorrow

Anyway, I accept any suggestion so thank you for also checking the configuration! and yes I also used to test from command line like:
./check_nrpe -H client.ip -S TLSv2 -c check_somecommand
the client receive and respond
and wireshark show tcp packets and no tls or whatever :(
Locked