Page 1 of 2
Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Fri Apr 24, 2020 1:22 pm
by xlin125
We have Nagios XI 5.4.8 on RHEL 7.7 and Nagios NRPE agent 3.2.1 on RHEL 7.7. By design, the Nagios XI 5.4.8 server communicates with the Nagios NRPE agent on port 5666/tcp. Active check is used. Recently, a security scan on the server that is installed with Nagios NRPE agent 3.2.1 reported the vulnerabilities on this port 5666/tcp because TLS 1.0 and TLS 1.1 are enabled and the server supports at least one cipher. How can we disable TLS 1.0 and TLS 1.1, enable TLS 1.2, and disable 3DES on this server? Also, is there anything we can do on the Nagios XI server side? The Nagios XI server runs the Nagios plugin/command "check_nrpe" to communicate with the Nagios NRPE agent 3.2.1.
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Fri Apr 24, 2020 2:17 pm
by ssax
I believe you can set this in your
nrpe.cfg and restart the nrpe service/xinetd:
Try it out on a test system and see if it scans properly.
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Fri Apr 24, 2020 4:09 pm
by xlin125
@ssax, thanks for the quick response.
Before I added the line "ssl_version=TLSv1.2+", I noticed that TLSv1.0 and TLSv1.1 were not listed in the output from running "openssl ciphers -v", but TLSv1.2 and SSLv3 are listed. After I added "ssl_version=TLSv1.2+" to nrpe.cfg and restarted xinetd, I see no differences in the output before and after I added "ssl_version=TLSv1.2+" to nrpe.cfg. I also want to disable SSLv3, so I tried to update the line to the following and restart xinetd. The output from running "openssl ciphers -v" still shows SSLv3:
ssl_version=TLSv1.2+ SSLv3-
Any comments and suggestions for the output? How can I confirm that TLSv1.0 and TLSv1.1 are disabled now and port 5666/tcp would not be a security vulnerability on this server with Nagios NRPE v3.2.1 agent?
The following is the output from running "openssl ciphers -v":
$ openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
DH-RSA-AES256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA1
DH-DSS-AES256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
PSK-AES256-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
DH-RSA-AES128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA1
DH-DSS-AES128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA1
DHE-RSA-SEED-SHA SSLv3 Kx=DH Au=RSA Enc=SEED(128) Mac=SHA1
DHE-DSS-SEED-SHA SSLv3 Kx=DH Au=DSS Enc=SEED(128) Mac=SHA1
DH-RSA-SEED-SHA SSLv3 Kx=DH/RSA Au=DH Enc=SEED(128) Mac=SHA1
DH-DSS-SEED-SHA SSLv3 Kx=DH/DSS Au=DH Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
SEED-SHA SSLv3 Kx=RSA Au=RSA Enc=SEED(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA SSLv3 Kx=DH/RSA Au=DH Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA SSLv3 Kx=DH/DSS Au=DH Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-IDEA-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=IDEA(128) Mac=MD5
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDH-RSA-RC4-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128) Mac=SHA1
ECDH-ECDSA-RC4-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
PSK-RC4-SHA SSLv3 Kx=PSK Au=PSK Enc=RC4(128) Mac=SHA1
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Fri Apr 24, 2020 4:28 pm
by ssax
That openssl ciphers command is showing the ciphers it supports, not what NRPE supports.
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Fri Apr 24, 2020 5:28 pm
by xlin125
@ssax, thanks for the clarification. The line "ssl_version=TLSv1.2+" was added to nrpe.cfg and xinetd was restarted. A scan request has been submitted. I will let you know the scan result.
Again, thanks for the help and support!
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Sun Apr 26, 2020 10:59 am
by xlin125
@ssax, after the line "ssl_version=TLSv1.2+" was added to nrpe.cfg and xinetd was restarted, the scan report showed the high risk associated with TLS 1.0 and the medium risk associated with TLS 1.1 on open port 5666/tcp were resolved. Thanks!
The scan report also showed a medium risk associated with SSLCipherSuite 3DES (Triple-DES encryption) on port 5666/TCP. It looks like the Nagios supports the use of medium strength SSL ciphers. The scan report recommended to reconfigure the affected application which is Nagios if possible to avoid use of medium strength ciphers. How can we disable 3DES encryption suite? Can we add a line to nrpe.cfg to disable it, or we can update the line "ssl_version=TLSv1.2+" in nrpe.cfg by adding an option to disable "3DES"? Thanks!
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Sun Apr 26, 2020 5:10 pm
by xlin125
More specifically, the vulnerability from the scan is described as "Plugin ID 42873, CVE-2016-2183, SSL Medium Strength Cipher Suites Supported (SWEET32)", the risk is high. This vulnerability is found on the port 5666/TCP that Nagios NRPE agent listens.
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Mon Apr 27, 2020 10:52 am
by ssax
Great, glad to help!
You can adjust your ciphers in your nrpe.cfg as well:
Code: Select all
# SSL USE ADH
# This is for backward compatibility and is DEPRECATED. Set to 1 to enable
# ADH or 2 to require ADH. 1 is currently the default but will be changed
# in a later version.
#ssl_use_adh=1
# SSL CIPHER LIST
# This lists which ciphers can be used. For backward compatibility, this
# defaults to 'ssl_cipher_list=ALL:!MD5:@STRENGTH' for < OpenSSL 1.1.0,
# and 'ssl_cipher_list=ALL:!MD5:@STRENGTH:@SECLEVEL=0' for OpenSSL 1.1.0 and
# greater.
ssl_cipher_list=HIGH:!MD5:!3DES@STRENGTH:@SECLEVEL=0
Taken from here:
https://github.com/NagiosEnterprises/nr ... rpe.cfg.in
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Wed Apr 29, 2020 5:38 pm
by xlin125
@ssax, I added the following lines to nrpe.cfg:
# set the SSL version
ssl_version=TLSv1.2+
# SSL CIPHER LIST
ssl_cipher_list=HIGH:!MD5:!3DES@STRENGTH:@SECLEVEL=0
After I restarted xinetd, I tested the connection on port 5666/tcp from a Nagios XI server to this server that has this Nagios agent installed. It seems that once the connection was accepted, then it was immediately closed by the server that has this Nagios agent installed. Please see the test using telnet below:
$ telnet 135.25.86.36 5666
Trying 135.25.86.36...
Connected to 135.25.86.36.
Escape character is '^]'.
Connection closed by foreign host.
I see the same issue with the error on the Nagios XI GUI "Status Information" field:
CHECK_NRPE: Error - Could not connect to 135.25.86.36 : Connection reset by peer
It is the following ssl_cipher_list line causing this issue (close the connection from a remote server on port 5666/tcp):
ssl_cipher_list=HIGH:!MD5:!3DES@STRENGTH:@SECLEVEL=0
How to resolve this issue while we also need to address the 3DES/cipher issue? Thanks!
Re: Port 5666/tcp issues with TLSv1.0, TLSv1.1, and 3DES
Posted: Wed Apr 29, 2020 9:44 pm
by xlin125
@ssax, I just made the change to the ssl_cipher_list in nrpe.cfg on the Nagios agent side as shown below, then the Nagios XI server is able to
connect to the Nagios agent on port 5666/tcp:
ssl_cipher_list=HIGH:!MD5:!3DES
Before I made the change this line was "ssl_cipher_list=HIGH:!MD5:!3DES@STRENGTH:@SECLEVEL=0".