Use encryption in Nagios (XI, Core)?

[xlin125]

Is there any encryption used in the operations of the Nagios product (core and XI) by default installation? For example, is there encryption used
1. between Nagios XI or Core server and NRPE agent communications
2. between Nagios XI or Core server and snmp agent on monitored machine (agentless method)
3. between user and Nagios XI Web Interface access
4. between nagios XI or Core and MySQL database / Postgres database

It seems by default, encryption is not used for the communications listed above. If this is the case, does Nagios support the encryption listed above and others that are not listed above? Thanks!

[rkennedy]

1. Yes, NRPE supports encryption. You would need to configure it to do so.
2. I don't believe this is a Nagios limitation. SNMP monitoring really depends on the version you're using. If encryption is what you're after, use SNMPv3.
3. See this document for instructions on setting up SSL with apache - https://assets.nagios.com/downloads/nag ... s%20XI.pdf
4. No encryption is used by default for storing to the local DB. If this is something you're after, take a look at this part of the MySQL documentation a coworker found - http://dev.mysql.com/doc/refman/5.7/en/ ... tions.html

[xlin125]

Thanks for the quick response!

We setup the check_nrpe from the Nagios XI to communicate with a Nagios NRPE agent without the option "-n" meaning "Do no use SSL". So that means we do use encryption for this communication from a Nagios XI to a NRPE agent by default, correct? On the Nagios XI server, the openSSL has a version 1.0.1e, which is higher than the version 0.9.6 required by check_nrpe for SSL support. By default, what is the bit length for encryption, 1024 or 2048, when running check_nrpe with use of SSL? Assuming the openSSL on the Nagios NRPE agent box has the same version as that on the Nagios XI server. Thanks!

[eloyd]

Just to increase my post count add to the conversation, you can also perform service checks over SSH tunnels via check_by_ssh. This is another tool in the toolbox for security.

[rkennedy]

Thanks for the quick response!

We setup the check_nrpe from the Nagios XI to communicate with a Nagios NRPE agent without the option "-n" meaning "Do no use SSL". So that means we do use encryption for this communication from a Nagios XI to a NRPE agent by default, correct? On the Nagios XI server, the openSSL has a version 1.0.1e, which is higher than the version 0.9.6 required by check_nrpe for SSL support. By default, what is the bit length for encryption, 1024 or 2048, when running check_nrpe with use of SSL? Assuming the openSSL on the Nagios NRPE agent box has the same version as that on the Nagios XI server. Thanks!

Yes, -n will use insecure mode specifically. You need to not specify it in order to use SSL.

By default, NRPE 2.15 uses 512 bits, and NRPE 3 uses 2048 bits. For more info about NRPE 3 and security, see this document - https://support.nagios.com/kb/article.php?id=519

[Box293]

You should look at implementing NRPE v3 with certificates, the strongest available encryption method in the OpenSSL suite will be used then.

[xlin125]

rkennedy,

Thank you again for the information!

You mentioned earlier that "NRPE supports encryption. You would need to configure it to do so." By default Nagios XI runs check_nrpe without the "-n" option to do the SSL handshake with the NRPE daemon running on a NRPE agent box, so the ongoing communication is done via a SSL session. What else needs to be configured on the NRPE agent box side to enable NRPE supporting encryption? Thanks!

[tmcdonald]

Take a look at the following README files from the NRPE source:

https://github.com/NagiosEnterprises/nr ... ECURITY.md
https://github.com/NagiosEnterprises/nr ... DME.SSL.md

[rkennedy]

rkennedy,

Thank you again for the information!

You mentioned earlier that "NRPE supports encryption. You would need to configure it to do so." By default Nagios XI runs check_nrpe without the "-n" option to do the SSL handshake with the NRPE daemon running on a NRPE agent box, so the ongoing communication is done via a SSL session. What else needs to be configured on the NRPE agent box side to enable NRPE supporting encryption? Thanks!

Allow NRPE to run without the -n flag, and it will use encryption. If you're looking into certificate authentication, see what @Box293 mentioned. The article on our KB is full of information about it as well - https://support.nagios.com/kb/article.php?id=519