Nagios Support Forum

Hello,

We generated a certificate for Nagios XI in our own PKI infrastructure. The installation was successful as we followed your very handy guide (https://assets.nagios.com/downloads/nag ... s%20XI.pdf). Our server now works only on port 443 which is exactly what we want.

The next step is to make 100% sure that all traffic between the server and clients is encrypted. Is this done by default? What can we do to enhance our security when Nagios is concerned? Even though its mostly on our internal network we want to have the security as tight as possible. Reasons for this is that for some checks we've entered in username/password combinations in the Nagios configuration. It would hurt our systems significantly if those credentials are leaked, even though we use read-only accounts.

We've also contacted the local Nagios supplier in The Netherlands for some tips, but extra information from Nagios Enterprises is also very welcome =) Any extra documentation on this matter would also be greatly appreciated!

Kind regards,
Dennis

dLans wrote:Reasons for this is that for some checks we've entered in username/password combinations in the Nagios configuration.

I assume the end goal is to prevent something like packet sniffers finding a Nagios check with sensitive credentials in it?

It would 100% depend on the plugins that are passing those credentials. Some have options for encryption, some do not. NRPE/NCPA in general support encryption. Were there particular plugins you were concerned about?

Have a look at this:
https://assets.nagios.com/downloads/nag ... urity.html

Thanks WillemDH. dLans, did you have any further questions?

mcapra wrote:

dLans wrote:Reasons for this is that for some checks we've entered in username/password combinations in the Nagios configuration.

I assume the end goal is to prevent something like packet sniffers finding a Nagios check with sensitive credentials in it?

It would 100% depend on the plugins that are passing those credentials. Some have options for encryption, some do not. NRPE/NCPA in general support encryption. Were there particular plugins you were concerned about?

Hi mcapra,

Yes it is mostly to make sure that a packet sniffer does not find any useful information. Yesterday after I went home I realised I could have given more information right from the start, my apologies. We use the NRPE agent from NSClient++ that has been installed on all of our servers. The NSClient.ini contains the following lines:

[/settings/NRPE/server]
allow arguments = true
allow nasty characters = true
allow nasty_meta_chars = 1
allowed hosts = *.*.*.*
command_timeout = 60
socket_timeout = 30
port = ****
use SSL

(the use of nasty characters is questionable, and default. Going to look into that myself ^^)

The option "use SSL" without aditional configuration does not seem enough to provide encrypted traffic. There is some obvious configuration that I need to do regarding certificates, but there is not that much information to be found on the internet (there is some, but checking with you guys usually gets me going in the right direction =)).

WillemDH wrote:Have a look at this:
https://assets.nagios.com/downloads/nag ... urity.html

Thank you =) I will most certainly go through this list to see what we must implement.

I used wireshark on the local system and can confirm that it does send it all in plain text across the network. We have several different types of checks going on:

Database check for SAP systems:
$USER1$/check_maxdb.pl -f -t $ARG1$ -H $HOSTADDRESS$ -d $ARG2$ -u $ARG3$ -w $ARG4$ -c $ARG5$
ARG3 contains username + password information



Check disk size:
$USER1$/check_nrpe -H $HOSTADDRESS$ -c CheckDriveSize -a ShowAll MinWarnFree=$ARG1$ MinCritFree=$ARG2$ $ARG3$
This uses NRPE and gives us a SSL handshake error (which is good, ssl handshake I can probably fix).

The maxdb plugin: https://exchange.nagios.org/directory/P ... db/details
Is there a way we can force all plugins to use encryption? Or would there be a much safer way to store username/password combinations for the checks? I have too little knowledge of these things unfortunately, I'm trying as hard as I can to learn =). We've contacted Nagios Netherlands to hire a consultant for a day or two, but it will be a while before they can be here.

I don't want to derail this but:
1. Have you considered wmi?
2. What versions of windows are you checking (assuming windows even though nsclient *can* be used on Linux). My understanding is newer versions of windows have SSH by default or easily installed. This means you could use check_by_ssh. I haven't tested check_by_ssh on windows and realistically am not likely to have time to, but it may be an option for you.

Firs thing you should do is change
so it is only allowed to run nrpe checks from your Nagios server. You could then
- hardcode the username and password in nsclient.ini
- Hardcode the username and password in the plugin
- Or save the password in an encrypted password file (you can do that with Powershell, not sure about Perl)

That way the password does not need to be sent over the network. You could also set allow arguments to false this way, which is also more secure.

@dLans, did @WillemDH's suggestion work for you?

Thanks @WillemDH!