Nrpe is not secure with SSL

[nihvel]

I'm heavily using wireshark during the latest days because it seems that I am not able to secure nrpe more than how various tutorials tells you to do.

SERVER: Ubuntu 14.04.03
My nagios server is 4.1.1 version.
Nrpe is 2.15

Apache2's got digest auth. and ssl cert.
Nrpe was configured like this: ./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
But now The server is using for nrpe the user (let's call it) ciccio, group: cicciomix

vi /etc/xinetd.d/nrpe

Code: Select all

# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
        flags           = REUSE
        socket_type     = stream
        port            = 5666
        wait            = no
        user            = ciccio
        group           = cicciomix
        server          = /usr/local/nagios/bin/nrpe
        server_args     = -c /usr/local/nagios/etc/nrpe.cfg --inetd
        log_on_failure  += USERID
        disable         = no
        only_from       = 127.0.0.1 192.168.10.215
}

CLIENT: Ubuntu 14.04.03

At the beginning I installed nrpe using: apt-get install nagios-nrpe-server nagios-plugins
Then I wanted to use SSL here as well, so I:

Code: Select all

curl -L -O http://downloads.sourceforge.net/project/nagios/nrpe-2.x/nrpe-2.15/nrpe-2.15.tar.gz
[...]
./configure --with-nrpe-user=banana --with-nrpe-group=bananagrp --with-nagios-user=banana --with-nagios-group=bananagrp --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu

I don't want to use nagios or nrpe user, banana is just an example.

I just want to skip where the server actually sends TLSv1.2 packets (as wireshark reports me) BUT the client respond in clear text, TCP.
Nagios of course is working and all my services and hosts are under monitoring.

Can anybody tell me how to encrypt everything between Nagios, Nrpe both server and client side?

TY, respect!

EDIT: I just discovered that apt-get install nagios-nrpe-server nagios-plugins IS NOT the same as curl -L -O http://***/nrpe-2.15.tar.gz
since the 1st is the one for every client (therefore the nrpe server) and the 2nd is the Nagios server nrpe plugin.

You can ./configure the Nagios server nrpe plugin with support for ssl (and it works)
BUT you can not ./configure the nagios-nrpe-server because you can only install it using apt-get install.
So, there is no encryption when the remote client responds to nrpe.
Unless of course, the Nagios server 'd begin a communication with its client and the client would respond in the same opened communication. But this does not happen.

[rkennedy]

Can you post the result of this command?

Code: Select all

apt-file search libssl | grep libssl-dev

[nihvel]

Can you post the result of this command?

Code: Select all

apt-file search libssl | grep libssl-dev

Hi, at the moment I'm not in my office but yes I do have both ssl and dev ssl installed. I generated also the key for apache and used for other things too.
When I send from Nagios web the command to update a sensor, wireshark actually sniff that command and I can see (using the filter is.src=server.ip) TLSv1 but when the client replies (filter on ip.src=client.ip) everything is in clear text.
When I send commands from ssh instead, like ./check_nrpe -H clientIP -c check_cpu, wireshark sniff the packet from ssh as ip.src=server and reply from client as tcp, again like before in clear text.
Server and client 's got the same ssl version, the latest from february, if I'm not wrong.
I'll be back in my office on monday, I can do all the test needed.
Thanks for your support

[nihvel]

Can you post the result of this command?

Code: Select all

apt-file search libssl | grep libssl-dev

Alright, at first I had to install apt-get install apt-file
Then I apt-file update

And finally the result of that command is:

Code: Select all

libssl-dev: /usr/lib/x86_64-linux-gnu/libssl.a
libssl-dev: /usr/lib/x86_64-linux-gnu/libssl.so
libssl-dev: /usr/lib/x86_64-linux-gnu/pkgconfig/libssl.pc
libssl-dev: /usr/share/doc/libssl-dev/changelog.Debian.gz
libssl-dev: /usr/share/doc/libssl-dev/changelog.gz
libssl-dev: /usr/share/doc/libssl-dev/copyright

[nihvel]

Hi rkennedy, thank you for helping me with this issue. You're a mod aren't you?
I forgot to write other results in my previous comment. Would you be so kind to merge this post to the prev. if you think it is helpful?

./configure --enable-command-args --with-nagios-user=nagios --with-nagios-group=nagios --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
--with-ssl=/usr/bin/openssl
root@nagios01:/usr/bin# ll open*
-rwxr-xr-x 1 root root 513280 Jun 11 2015 openssl*

--with-ssl-lib=/usr/lib/x86_64-linux-gnu
root@nagios01:/usr/bin# apt-file search libssl | grep libssl-dev
libssl-dev: /usr/lib/x86_64-linux-gnu/libssl.a
libssl-dev: /usr/lib/x86_64-linux-gnu/libssl.so
libssl-dev: /usr/lib/x86_64-linux-gnu/pkgconfig/libssl.pc
libssl-dev: /usr/share/doc/libssl-dev/changelog.Debian.gz
libssl-dev: /usr/share/doc/libssl-dev/changelog.gz
libssl-dev: /usr/share/doc/libssl-dev/copyright

[ssax]

You should be able to use the same .tar.gz and compile it which generate the plugin (check_nrpe) and the agent binary (nrpe) with SSL support, no need to use the apt command.

[nihvel]

You should be able to use the same .tar.gz and compile it which generate the plugin (check_nrpe) and the agent binary (nrpe) with SSL support, no need to use the apt command.

Hi! yes and I've actually opened a thread in another section about the "new" nrpe 2.16, it seems to have a more secure ssl and I need to test it.
Thing is I'm unable to make it working with ssl and I really don't know why. With v. 2.15 (as I wrote above) the server can send encrypted commands but the client does not respond that way. Or at least this is what I read from wireshark.
Isn't it weird?

Anyway,
after a strange behaviour of the VM Ubuntu-client-test3 (random resets and connection loss), I'm going to reinstall it over again with nrpe 2.16 and I'll see if this time something happens.
The same tests will be done, again, with v. 2.15 but if v 2.16, even if still set as work in progress, would really result more secure than 2.15 (which is told it is) I guess that I might be using it for final production env.

I need a strong encryption and the best is without using the nagios user (I'm working on it too but it seems that Nagios wants the user to be nagios and when you're goind to change from nagios.conf, unlimited errors starts to appear).
Advices here?

Thank you all guys for your support

Edit:
This thread is strictly linked to this: https://support.nagios.com/forum/viewto ... 52#p164488

[nihvel]

Probably it is better to (re)start from scratch.
Can you guys please link an official documentation where it is explained from A to Z the steps to secure nrpe using:
a certificate and/or a ssl working conf.
Can ya?

The document linked prev. is not good in this case and anyway does not talk about ssl

[rkennedy]

As you have created a new post regarding this at https://support.nagios.com/forum/viewtopic.php?t=36199 - do you mind if I close this thread out and let the discussion continue there?

[nihvel]

As you have created a new post regarding this at https://support.nagios.com/forum/viewtopic.php?t=36199 - do you mind if I close this thread out and let the discussion continue there?

Please proceed, I don't mind as long as the other discussion is alive and would help me or someone else who's facing the same issue, I'm ok