hostnames in nsca config

[WillemDH]

Is it possible to use hostnames in the only_from directive of /etc/xinetd.d/nsca or does it only accept ip addresses. It's because I have a host with a dynamic ip address which has a dyndns host record.

[Box293]

I believe DNS entries are allowed, I've seen the same done with the NRPE agent which uses an almost identical config.

[WillemDH]

K tx. I'll test this soon. An other question. Is it possible to use ranges? It seems I'm not (yet?) using the only _from directive in /etc/xinetd.d/nsca on my production server. it would be nearly impossible to configure 600 ip addresses, but these 600 hosts are divided in +- 4 big ip ranges. Any info on this? https://www.google.be/url?sa=t&rct=j&q= ... 15-HsCwQcA

doesn't mention anything about ranges. It would be nice to be able to use

only_from 15.10.2.x

[tgriep]

I tried to use 15.10.2.x and 15.10.2.0/24 and both failed.
Your only option for multiple hosts is to remove the only_from all together from the config file and then it will work for any IP address.

[WillemDH]

Thanks for testing this. What do you think. Is this worth a feature request? This is for Nagios Core I guess.. It just doesn't feel righ right everyone can send. Would it add an extra layer of protection, or would it just consume resources... ?

[Box293]

I'm surprised a range doesn't work. In my /etc/xinetd.d/nrpe file I have:

only_from = 10.25.0.0/16

I would only assume this would work in the nsca file.

[WillemDH]

I tested this again and i found out that hostnames do no seem to work. IP Address ranges do seem to work.

So this:

Code: Select all

only_from       = 127.0.0.1 212.71.234.84 78.21.32.0/21

Allowed me to send from 78.21.36.13 with subnet 255.255.248.0

Would it be opportune to make a feature request so hostnames become allowed in the nsca config file? I can see use in this for hosts with a dynamic ip addresses. Low priority is fine for me.

Besides the above, I think the https://assets.nagios.com/downloads/nag ... ios-XI.pdf could use an update with an example ip range and also a command to restart xinetd on CentOS 7 systems:

Code: Select all

sudo systemctl restart xinetd

Grtz

Willem

[tmcdonald]

The xinetd config file for NSCA is not something we can change the behavior of, but according to man xinetd.conf the hostname should work just fine as long as a reverse lookup matches:

Code: Select all

only_from        determines the remote hosts to which the particular service is available.  Its value is a list of IP addresses which can be specified in any combination of the
				following ways:

				a)   a  numeric  address  in  the  form of %d.%d.%d.%d. If the rightmost components are 0, they are treated as wildcards (for example, 128.138.12.0 matches all
					 hosts on the 128.138.12 subnet).  0.0.0.0 matches all Internet addresses.  IPv6 hosts may be specified in the form of abcd:ef01::2345:6789.  The rightmost
					 rule for IPv4 addresses does not apply to IPv6 addresses.

				b)   a factorized address in the form of %d.%d.%d.{%d,%d,...}.  There is no need for all 4 components (i.e. %d.%d.{%d,%d,...%d} is also ok).  However, the fac-
					 torized part must be at the end of the address.  This form does not work for IPv6 hosts.

				c)   a network name (from /etc/networks). This form does not work for IPv6 hosts.

				d)   a host name.  When a connection is made to xinetd, a reverse lookup is performed, and the canonical name returned is compared to the specified host  name.
					 You may also use domain names in the form of .domain.com.  If the reverse lookup of the client’s IP is within .domain.com, a match occurs.

				e)   an ip address/netmask range in the form of 1.2.3.4/32.  IPv6 address/netmask ranges in the form of 1234::/46 are also valid.

				Specifying this attribute without a value makes the service available to nobody.

Regarding the doc, I'll see about getting that updated.

[ssax]

This is an xinetd specific configuration option, it says you should be able to:

http://linux.die.net/man/5/xinetd.conf

Search for only_from and it will give you what is supported.

Edit: Dang, I was too slow..

[Box293]

Besides the above, I think the https://assets.nagios.com/downloads/nag ... ios-XI.pdf could use an update with an example ip range and also a command to restart xinetd on CentOS 7 systems:

Code: Select all

sudo systemctl restart xinetd

Documentation has now been updated with these suggestions, thanks for the feedback.