NSClient++, NRPE client, and "allowed_hosts" ...

[PhilG]

Hello:
I've spent a number of hours attempting to research a question for my colleague:
When installing/configuring the NSClient++ agent on a Windows server and using "check_nt" only, is it required to include the local host IP, 127.0.0.1, in the "allowed_hosts" field?

Reason for asking:
When installing/configuring the NRPE client agent on a Linux server, the URL "http://assets.nagios.com/downloads/nagi ... utions.pdf" references the following:
"One thing to note is that localhost (127.0.0.1) should remain as it allows you to troubleshoot NRPE issues locally."
and URL "http://beginlinux.com/blog/2009/03/nagi ... with-nrpe/" references to include both the local host and monitoring server's IP:
"Nagios: Monitoring Windows Machines with NRPE:
Go to the global section, [Settings], and be sure to limit the access to the Windows server that you are going to monitor. Under the Allowed Hosts section enter the local host and any other connections that you want to enable. These addresses will be separated by a comma.
allowed_hosts=127.0.0.1/32,192.168.5.50
"
whereas, through all the documentation and discussions I've found about NSClient++, I've found references of using only the monitoring server IP, ex.
http://assets.nagios.com/downloads/nagi ... ios-XI.pdf
http://www.csti.inf.br/monitora/NSC.ini

NSClient++ is installed on the Windows servers with no issues and uses the NSC.INI, and the Nagios XI Windows Server Wizard was used to configure and monitoring for the Windows server is working with no issue. I can only think that it would be needed for testing only.

[Box293]

I can only think that it would be needed for testing only.

That's pretty much well it. I've ran NSClient++ in an environment without the 127.0.0.1 address without any issues.

From a "security" point of view, anyone logged onto that server locally could issue check_nt commands locally and one of those commands might be able to do something destructive. So removing the 127.0.0.1 prevents this possible security hole.

[PhilG]

Okay, thank you.

You may freeze this post.

[cmerchant]

We'll go ahead and close this thread. Thanks.