Nagios Support Forum

Hello,

I would like to secure transmission between my Nagios server (ubuntu) and the remote hosts (linux and windows), i have already enable SSL, set iptables to only acccept check from the ip of my server,and follow the Security Considerations from nagios. I need to use external scripts and send external command, this is the problem!

What can i do more ?

Does Somebody has an idea ?

Add SSL certificate ? Is it possible ? Because i don't find clear information about that!



Thanks for yours answers !!

Honestly, using external scripts and commands is not a huge huge deal with the steps you have already taken, and hopefully continue to take. You absolutely can use certificates and ssl depending on the check and\or agent you are running. If you must use a check that cannot be encrypted, you can always run an agent local to that network and use that to send back the data in an encrypted form.

Thank you sreinhardt for your answer,

I' m looking for information on google, or website of nsclient++,nrpe.
But i don't find official documentation about implentation of certificate based authentication in nagios.

I have only find this webpage, but i don't understand how add and configure nsclient on the nagios server!

Do you where can i find tutorials,documentations about that, may be somebody can post example of configuration files like nsc.ini or nrpe.cfg !!?

I think this may interest a lot of people worried about security.

As shown here:

http://www.nsclient.org/nscp/discussion/topic/62

You should enable SSL in the nsc/nsclient.ini file, and restart the daemon in the windows services.msc listing.

Hello slansing,

SSL is already enabled in my configuration files, but does not specify which certificate and key to use.
I have no informations about the syntax for adding the path and the key to use!!

Is that someone has already done?

This does not use certificates per se, using the SSL flags between the NRPE server, and a ssl compiled NRPE client is simply point to point encryption as NRPE already requires you to give it addresses from which it will accept commands. There are alternatives to using NRPE of course, you can check via SNMP, various passive agents (of which NRDS uses encryption over secure http) or even check_by_ssh, which uses ssh keys (this is what I think you are thinking of).