VA for Nagios agent port.

[cyberportnoc]

Dear support,

Recently, we found that in nagios agent port 5666
There are below unexpected VA
5666 SSL Version 2 and 3 Protocol Detection "The remote service encrypts traffic using a protocol with known weaknesses."
5666 SSL Weak Cipher Suites Supported The remote service supports the use of weak SSL ciphers.
5666 SSL Medium Strength Cipher Suites Supported The remote service supports the use of medium strength SSL ciphers.
5666 SSL RC4 Cipher Suites Supported (Bar Mitzvah) The remote service supports the use of the RC4 cipher.
5666 SSLv3 Padding Oracle On Downgraded Legacy Encryption Vulnerability (POODLE) "It is possible to obtain sensitive information from the remote host
with SSL/TLS-enabled services."
5666 SSL/TLS EXPORT_DHE <= 512-bit Export Cipher Suites Supported (Logjam) The remote host supports a set of weak ciphers.

Any possible solution to solve it?

Please advise

Thanks,
Kelvin

[tmcdonald]

What NRPE version are you running on that server? The latest NRPE will have options for more secure SSL settings:

https://github.com/NagiosEnterprises/nr ... pe-3.0-RC1

Specifically in the README.SSL.md file:

https://github.com/NagiosEnterprises/nr ... DME.SSL.md

You'll want your security team to give that a read and update/configure your NRPE server to use whatever SSL settings your organization requires. Most of the above will be mitigated by moving from SSL to TLSv1.2.

[cyberportnoc]

Dear Donald,

It is window's agent
Name: NSClient++(x64)
Version: 0.3.9.328

Please advise.

Thanks,
Kelvin

[Box293]

The latest version of NSClient++ supports stronger encryption, however there are some hurdles to overcome.

1) Understanding the documentation. There's a guide here, but it's not that easy to understand:
https://www.medin.name/blog/2012/12/02/ ... ntication/

2) check_nrpe that is used to connect to the NSClient++ will not work in this scenario. You'll actually have to compile the NSClient++ for Linux version from github on your Nagios XI server, which is someone complicated and a bit beta. NRPE v3 is soon to be released and it should be able to contact NSClient++ using certificates, however it is still in beta and can not be relied upon in a production environment.

Your best bet is to do some testing with NRPE v3.

I plan on releasing some documentation that explains how to get all this to work, but right now I do not have that available.

[cyberportnoc]

Dear Box,

The workstation in Windows 2012 R2, can we install any updated agent to fix the VA?

Please advise.

Thanks,
Kelvin

[Box293]

Updating the NSClient++ agent is required and what I explained in the last post is what needs to be done. If there was an easier solution I would have posted it.

[cyberportnoc]

Dear Box,

According to your reply, is it necessary to wait the NRPE v3 release for fix this issue.

Please advise.

Thanks,
Kelvin

[ssax]

Currently yes, unless you want to install the RC and test it out:

Code: Select all

https://github.com/NagiosEnterprises/nrpe/tree/nrpe-3.0-RC1

[cyberportnoc]

Dear ssas,

Is it only implement the upgrade in that client server?

Please advise

Thanks,
Kelvin

[Box293]

It requires the upgrade to be applied to both the client and the Nagios XI server.