Page 1 of 1
hostnames in nsca config
Posted: Sun Nov 15, 2015 2:45 pm
by WillemDH
Is it possible to use hostnames in the only_from directive of /etc/xinetd.d/nsca or does it only accept ip addresses. It's because I have a host with a dynamic ip address which has a dyndns host record.
Re: hostnames in nsca config
Posted: Sun Nov 15, 2015 10:35 pm
by Box293
I believe DNS entries are allowed, I've seen the same done with the NRPE agent which uses an almost identical config.
Re: hostnames in nsca config
Posted: Wed Nov 18, 2015 8:53 am
by WillemDH
K tx. I'll test this soon. An other question. Is it possible to use ranges? It seems I'm not (yet?) using the only _from directive in /etc/xinetd.d/nsca on my production server. it would be nearly impossible to configure 600 ip addresses, but these 600 hosts are divided in +- 4 big ip ranges. Any info on this?
https://www.google.be/url?sa=t&rct=j&q= ... 15-HsCwQcA
doesn't mention anything about ranges. It would be nice to be able to use
only_from 15.10.2.x
Re: hostnames in nsca config
Posted: Wed Nov 18, 2015 2:32 pm
by tgriep
I tried to use 15.10.2.x and 15.10.2.0/24 and both failed.
Your only option for multiple hosts is to remove the only_from all together from the config file and then it will work for any IP address.
Re: hostnames in nsca config
Posted: Wed Nov 18, 2015 2:55 pm
by WillemDH
Thanks for testing this. What do you think. Is this worth a feature request? This is for Nagios Core I guess.. It just doesn't feel righ right everyone can send. Would it add an extra layer of protection, or would it just consume resources... ?
Re: hostnames in nsca config
Posted: Wed Nov 18, 2015 6:10 pm
by Box293
I'm surprised a range doesn't work. In my /etc/xinetd.d/nrpe file I have:
only_from = 10.25.0.0/16
I would only assume this would work in the nsca file.
Re: hostnames in nsca config
Posted: Tue Mar 01, 2016 4:46 pm
by WillemDH
I tested this again and i found out that hostnames do no seem to work. IP Address ranges do seem to work.
So this:
Code: Select all
only_from = 127.0.0.1 212.71.234.84 78.21.32.0/21
Allowed me to send from 78.21.36.13 with subnet 255.255.248.0
Would it be opportune to make a feature request so hostnames become allowed in the nsca config file? I can see use in this for hosts with a dynamic ip addresses. Low priority is fine for me.
Besides the above, I think the
https://assets.nagios.com/downloads/nag ... ios-XI.pdf could use an update with an example ip range and also a command to restart xinetd on CentOS 7 systems:
Grtz
Willem
Re: hostnames in nsca config
Posted: Wed Mar 02, 2016 12:08 pm
by tmcdonald
The xinetd config file for NSCA is not something we can change the behavior of, but according to
man xinetd.conf the hostname should work just fine as long as a reverse lookup matches:
Code: Select all
only_from determines the remote hosts to which the particular service is available. Its value is a list of IP addresses which can be specified in any combination of the
following ways:
a) a numeric address in the form of %d.%d.%d.%d. If the rightmost components are 0, they are treated as wildcards (for example, 128.138.12.0 matches all
hosts on the 128.138.12 subnet). 0.0.0.0 matches all Internet addresses. IPv6 hosts may be specified in the form of abcd:ef01::2345:6789. The rightmost
rule for IPv4 addresses does not apply to IPv6 addresses.
b) a factorized address in the form of %d.%d.%d.{%d,%d,...}. There is no need for all 4 components (i.e. %d.%d.{%d,%d,...%d} is also ok). However, the fac-
torized part must be at the end of the address. This form does not work for IPv6 hosts.
c) a network name (from /etc/networks). This form does not work for IPv6 hosts.
d) a host name. When a connection is made to xinetd, a reverse lookup is performed, and the canonical name returned is compared to the specified host name.
You may also use domain names in the form of .domain.com. If the reverse lookup of the client’s IP is within .domain.com, a match occurs.
e) an ip address/netmask range in the form of 1.2.3.4/32. IPv6 address/netmask ranges in the form of 1234::/46 are also valid.
Specifying this attribute without a value makes the service available to nobody.
Regarding the doc, I'll see about getting that updated.
Re: hostnames in nsca config
Posted: Wed Mar 02, 2016 12:11 pm
by ssax
This is an xinetd specific configuration option, it says you should be able to:
http://linux.die.net/man/5/xinetd.conf
Search for only_from and it will give you what is supported.
Edit: Dang, I was too slow..
Re: hostnames in nsca config
Posted: Wed Mar 16, 2016 4:58 pm
by Box293
Documentation has now been updated with these suggestions, thanks for the feedback.