It's all about who offer the best encryption at a reasonable cost, at the moment with nagios core I've got the best cost ever (free) and the worst encryption, but this is about nrpe 2.15.
Which yes, I ran tests again and I can't make the client reply with ssl. Nevermind, I know that even if I'd make it it's probably not good for my company needs.
That's why I'm more into the nrpe 2.16rc2.
aaaand yes, I compiled using:
Code: Select all
useradd banana
groupadd bananagrp
usermod -a -G bananagrp banana
passwd banana
[...]
apt-get install build-essential openssl libssl-dev xinetd unzip libsys-statistics-linux-perl -y
[ cd ../nagios-plugins-2-11 ]
./configure --with-nagios-user=banana --with-nagios-group=bananagrp --with-openssl
[ cd ../nrpe-2-16 ]
./configure --with-nrpe-user=banana --with-nrpe-group=bananagrp --with-nagios-user=banana --with-nagios-group=bananagrp --with-ssl=/usr/bin/openssl --with-ssl-lib=/usr/lib/x86_64-linux-gnu
Both are running under xinetd:
Code: Select all
# default: on
# description: NRPE (Nagios Remote Plugin Executor)
service nrpe
{
flags = REUSE
socket_type = stream
port = 5666
wait = no
user = nagios
group = nagios
server = /usr/local/nagios/bin/nrpe
server_args = -c /usr/local/nagios/etc/nrpe.cfg --inetd
log_on_failure += USERID
disable = no
only_from = 127.0.0.1 192.168.10.215
}
The client is the same except for the user and group, which is banana.
Nrpe.cfg Server
Code: Select all
log_facility=daemon
pid_file=/var/run/nrpe.pid
server_port=5666
nrpe_user=nagios
nrpe_group=nagios
allowed_hosts=127.0.0.1
dont_blame_nrpe=0
allow_bash_command_substitution=0
debug=0
command_timeout=60
connection_timeout=300
# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.
# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
# TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
ssl_version=TLSv1.2+
# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.
#ssl_use_adh=1
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something something else in a later version of NRPE.
ssl_cipher_list=ALL:!MD5:@STRENGTH
# SSL Certificate and Private Key Files
#ssl_cacert_file=/usr/local/nagios/com/ssl/ca-cert.pem
#ssl_cert_file=/usr/local/nagios/com/ssl/nagios-cert.pem
#ssl_privatekey_file=/usr/local/nagios/com/ssl/nagios-key.pem
# SSL CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
# 1 = Ask for client certificates
# 2 = Require client certificates
#ssl_client_certs=0
# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.
# Values: 0x00 (0) = No additional logging (default)
# 0x01 (1) = Log startup SSL/TLS parameters
# 0x02 (2) = Log remote IP address
# 0x04 (4) = Log SSL/TLS version of connections
# 0x08 (8) = Log which cipher is being used for the connection
# 0x10 (16) = Log if client has a certificate
# 0x20 (32) = Log details of client's certificate if it has one
# -1 or 0xff or 0x2f = All of the above
ssl_logging=0
nrpe.cfg Client:
Code: Select all
log_facility=daemon
pid_file=/var/run/nrpe.pid
server_port=5666
nrpe_user=banana
nrpe_group=bananagrp
allowed_hosts=127.0.0.1
dont_blame_nrpe=0
allow_bash_command_substitution=0
debug=0
command_timeout=60
connection_timeout=300
# SSL/TLS OPTIONS
# These directives allow you to specify how to use SSL/TLS.
# SSL VERSION
# This can be any of: SSLv2 (only use SSLv2), SSLv2+ (use any version),
# SSLv3 (only use SSLv3), SSLv3+ (use SSLv3 or above), TLSv1 (only use
# TLSv1), TLSv1+ (use TLSv1 or above), TLSv1.1 (only use TLSv1.1),
# TLSv1.1+ (use TLSv1.1 or above), TLSv1.2 (only use TLSv1.2),
# TLSv1.2+ (use TLSv1.2 or above)
# If an "or above" version is used, the best will be negotiated. So if both
# ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2.
ssl_version=TLSv1.2+
# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.
#ssl_use_adh=1
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' in this version but
# will be changed to something something else in a later version of NRPE.
ssl_cipher_list=ALL:!MD5:@STRENGTH
# SSL Certificate and Private Key Files
#ssl_cacert_file=/usr/local/nagios/com/ssl/ca-cert.pem
#ssl_cert_file=/usr/local/nagios/com/ssl/nagios-cert.pem
#ssl_privatekey_file=/usr/local/nagios/com/ssl/nagios-key.pem
# SSL CLIENT CERTS
# This options determines client certificate usage.
# Values: 0 = Don't ask for or require client certificates
# 1 = Ask for client certificates
# 2 = Require client certificates
#ssl_client_certs=0
# SSL LOGGING
# This option determines which SSL messages are send to syslog. OR values
# together to specify multiple options.
# Values: 0x00 (0) = No additional logging (default)
# 0x01 (1) = Log startup SSL/TLS parameters
# 0x02 (2) = Log remote IP address
# 0x04 (4) = Log SSL/TLS version of connections
# 0x08 (8) = Log which cipher is being used for the connection
# 0x10 (16) = Log if client has a certificate
# 0x20 (32) = Log details of client's certificate if it has one
# -1 or 0xff or 0x2f = All of the above
#ssl_logging=0
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
command[check_zombie_procs]=/usr/local/nagios/libexec/check_procs -w 5 -c 10 -s Z
command[check_total_procs]=/usr/local/nagios/libexec/check_procs -w 150 -c 200
command[check_ssh]=/usr/local/nagios/libexec/check_ssh 127.0.0.1
command[check_disk]=/usr/local/nagios/libexec/check_linux_stats.pl -D -w 10 -c 5 -p /,/home,/var -u %
command[check_load]=/usr/local/nagios/libexec/check_linux_stats.pl -L -w 10,8,5 -c 20,18,15
command[check_mem]=/usr/local/nagios/libexec/check_linux_stats.pl -M -w 100,25 -c 100,50
command[check_cpu]=/usr/local/nagios/libexec/check_linux_stats.pl -C -w 99 -c 100 -s 5
command[check_open_file]=/usr/local/nagios/libexec/check_linux_stats.pl -F -w 10000,250000 -c 15000,350000
command[check_io]=/usr/local/nagios/libexec/check_linux_stats.pl -I -w 2000,600 -c 3000,800 -p sda1,sda3,sda4 -s 5
command[check_procs]=/usr/local/nagios/libexec/check_linux_stats.pl -P -w 1000 -c 2000
command[check_net]=/usr/local/nagios/libexec/check_linux_stats.pl -N -w 1000000 -c 1500000 -p eth0 -s 5
command[check_socket]=/usr/local/nagios/libexec/check_linux_stats.pl -S -w 500 -c 1000
command[check_uptime]=/usr/local/nagios/libexec/check_linux_stats.pl -U -w 5
command[check_ctxt]=/usr/local/nagios/libexec/check_linux_stats.pl -X -w 6000 -c 70000 -s 2
Server send command using TlSv1.2
Client respond in TCP, plain text
I'm trying to upload screenshot now, will be editing in a few minutes
Edit: added screenshot
192.168.10.215 is the server, 219 the client.
I can see that the client respond to request through port 5666 (true) but without ssl.
Can you tell me if there is something wrong in my configuration?
I'll much appreciate! Thank you
EDIT2:
I'm using VMs through virtual box and vmplayer.. and probably the issue is here.. I'm running test on phisical or esxi machines and I'll see..
EDIT3:
I can confirm that there is no ssl encryption, using this configuration, between server and client. And this time I tested in a real testing environment/ pre production.
Now I'm trying using the certificates.. and I'll see
EDIT4:
With the certificates seems that nothing's changed and as a plus I no longer see TLSv1.2 but only tcp packets (probably that TLSv1.2 I was seeing before was the apache2 certificate).
Same question I asked previously, is my conf. good? (I mean, if it does not work of course it is not good) how should I fix or add the encryption?