Home » Categories » Multiple Categories

NRPE - v3 Enhanced Security

Overview

This KB article discusses NRPE v3 and the new security features implemented in that version.

  • A 2048-bit DH key is used instead of a 512-bit key

  • The ssl_version directive lets you set which versions of SSL/TLS you want to allow (TLSv2+ by default)
  • The ssl_cipher_list directive lets you specify which ciphers you want to allow (ALL:!MD5:@STRENGTH by default)

  • Certificates can be used for security

    • NRPE client can use a certificate for encryption

    • The NRPE client can request the check_nrpe plugin provide a valid certificate

 

 

Nomenclature

The following explains the terms used in this document.

  • Client / Agent

    • This is what is listening for NRPE requests

    • "NRPE Client" refers to the Unix/Linux based client, provided by Nagios Enterprises

    • NSClient++ is the Windows client that has an NRPE listening module, developed externally by a third party

  • Plugin

    • This is what sends the request off to the client / agent

    • check_nrpe is the name of the binary

    • This is what is installed on the Nagios server, but is also installed on the NRPE client by default (not NSClient++)

 

 

Certificates

Why would you want to use certificates? It provides extra layers of security.

On the NRPE client a certificate can be used for encryption.

On the NRPE client, the ssl_client_certs directive specifies whether or not a certificate will be requested when the check_nrpe plugin tries to connect. A value of 2 for this directive would require that before communication can be established, the check_nrpe plugin must supply a valid certificate.

Certificates need to be issued by a certificate authority (CA), so it can be assumed that the certificate is from a trusted source because you have that CA in your configs.

What does supply a valid certificate mean? A certificate is valid if the certificate is within it's period of validity and it is from a trusted CA. 

NOTE: When using ssl_client_certs=2 in nrpe.cfg on the NRPE client, it is required that the ssl_cacert_file= , ssl_cert_file= and ssl_privatekey_file= are defined.

How many certificates are required?

  • NRPE Client
    • There should be a separate certificate for each NRPE client
    • In the instructions below the files are created as client_cert.xxx, this is to make the instructions clear and concise
  • check_nrpe Plugin
    • There is only one certificate required for the check_nrpe plugin

 

Following is an example of how to create the certificates and implement them.

 

 

Creating Certificates Using OpenSSL

The following example does not follow best practice for creating and running a CA or creating certificates. It is for testing or possibly for use in a small environment. Sloppy security is as bad as no security.

In reality your environment would have a dedicated CA server and you would request the certificates from your security team.

 

Create Certificate Authority

To provide a working example the first step will be to create a Certificate Authority to issue the certificates. In this example:

  • The CA will be created on the Nagios server

  • It is assumed that the openssl package is already installed on the server

  • We are going to put everything in the /usr/local/nagios/etc/ssl directory

 

Execute the following commands in an SSH session on your Nagios server.

Setup Directories

mkdir -p -m 750 /usr/local/nagios/etc/ssl
chown root.nagios /usr/local/nagios/etc/ssl
cd /usr/local/nagios/etc/ssl/
mkdir -m 750 ca nagios_server_certs client_certs
chown root.root ca
chown root.nagios nagios_server_certs client_certs
touch /etc/pki/CA/index.txt
echo '1000' > /etc/pki/CA/serial

 

Create Certificate Authority

cd /usr/local/nagios/etc/ssl/ca/
openssl req -x509 -newkey rsa:4096 -keyout ca_key.pem -out ca_cert.pem -utf8 -days 3650

 

You will be prompted to type a PEM pass phrase, make sure to keep a note of this as you will need it in the future.

You will be prompted to provide information, see the following example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Minnesota
Locality Name (eg, city) [Default City]:Saint Paul
Organization Name (eg, company) [Default Company Ltd]:Nagios
Organizational Unit Name (eg, section) []:Monitoring
Common Name (eg, your name or your server's hostname) []:CA
Email Address []:email@domain.local

 

Now that the CA has been created you can proceed to create the NRPE client certificate and the check_npre plugin certificate.

 

 

NRPE Client Certificate

Create The Certificate

These commands are to be executed on the Nagios server as that is where the certificate authority was created earlier.

cd /usr/local/nagios/etc/ssl/client_certs/
openssl req -new -newkey rsa:2048 -keyout client_cert.key -out client_cert.csr -nodes

 

You will be prompted to type "A challenge password", do not type anything, just press Enter. The example also did not provide anything for "An optional company name". See the following example:

Generating a 2048 bit RSA private key
...............+++
....................+++
writing new private key to 'client_cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Minnesota
Locality Name (eg, city) [Default City]:Saint Paul
Organization Name (eg, company) [Default Company Ltd]:Nagios
Organizational Unit Name (eg, section) []:Monitoring
Common Name (eg, your name or your server's hostname) []:NRPE_Client    
Email Address []:email@domain.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

Next we have to sign this certificate request by our CA.

cd /usr/local/nagios/etc/ssl/
openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in client_certs/client_cert.csr -out client_certs/client_cert.pem

 

You will be prompted for the CA PEM pass phrase that you provided before when creating the Certificate Authority.

You will then be prompted to sign new certificate, answer y twice:

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca/ca_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4096 (0x1000)
        Validity
            Not Before: Jul  6 03:59:02 2016 GMT
            Not After : Jul  6 03:59:02 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Minnesota
            organizationName          = Nagios
            organizationalUnitName    = Monitoring
            commonName                = NRPE_Client
            emailAddress              = email@domain.local
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                3D:0D:FE:51:6E:1C:16:5F:21:05:46:4D:76:C6:2E:5B:1F:12:14:5C
            X509v3 Authority Key Identifier:
                keyid:5A:81:97:96:99:47:19:76:70:24:AB:EC:3B:BE:07:0C:E8:AD:4B:E7

Certificate is to be certified until Jul  6 03:59:02 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

The two files client_certs/client_cert.pem and client_certs/client_cert.key need to be copied to the server running the NRPE client along with the ca/ca_cert.pem file (covered in the next step).

 

Implement NRPE Client Certificate

On the NRPE client, execute the following commands to copy the certificates from the Nagios server (10.25.5.60 in this example):

mkdir -p /usr/local/nagios/etc/ssl
scp root@10.25.5.60:/usr/local/nagios/etc/ssl/ca/ca_cert.pem /usr/local/nagios/etc/ssl/
scp root@10.25.5.60:/usr/local/nagios/etc/ssl/client_certs/client_cert.key /usr/local/nagios/etc/ssl/
scp root@10.25.5.60:/usr/local/nagios/etc/ssl/client_certs/client_cert.pem /usr/local/nagios/etc/ssl/

 

If you don't have scp installed (openssh-clients) on both machines, then you will need to use another method to transfer the certificates from the Nagios server to the NRPE client.

Next the NRPE client config file needs updating so it knows to use the new certificate. In the file /usr/local/nagios/etc/nrpe.cfg you will need the following three entries:

ssl_cacert_file=/usr/local/nagios/etc/ssl/ca/ca_cert.pem
ssl_cert_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.pem
ssl_privatekey_file=/usr/local/nagios/etc/ssl/client_certs/client_cert.key

You should put them in the SSL section of the file (around line 220).

 

Then you need to restart the NRPE client, this will vary depending on the operating system you are on, some examples of the restart command are:

restart nrpe
service nrpe restart
systemctl restart nrpe.service

 

This completes creating and implementing the NPRE client certificate. If you would like to confirm if the certificate is being used, you will need to enable additional logging. In the file /usr/local/nagios/etc/nrpe.cfg you will need to add the following line:

ssl_logging=0x01

 Then restart the NRPE service. Once restarted you can observe the following log entries in the syslog /var/log/messages file (may vary on your operating system):

Jul  6 14:29:11 centos16 nrpe[1744]: SSL Certificate File: /usr/local/nagios/etc/ssl/client_cert.pem
Jul  6 14:29:11 centos16 nrpe[1744]: SSL Private Key File: /usr/local/nagios/etc/ssl/client_cert.key
Jul  6 14:29:11 centos16 nrpe[1744]: SSL CA Certificate File: /usr/local/nagios/etc/ssl/ca_cert.pem
Jul  6 14:29:11 centos16 nrpe[1744]: SSL Cipher List: ALL:!MD5:@STRENGTH
Jul  6 14:29:11 centos16 nrpe[1744]: SSL Allow ADH: Allow
Jul  6 14:29:11 centos16 nrpe[1744]: SSL Client Certs: Don't Ask
Jul  6 14:29:11 centos16 nrpe[1744]: SSL Log Options: 0x01
Jul  6 14:29:11 centos16 nrpe[1744]: SSL Version: TLSv1 And Above
Jul  6 14:29:11 centos16 nrpe[1744]: Starting up daemon
Jul  6 14:29:11 centos16 nrpe[1744]: Server listening on 0.0.0.0 port 5666.
Jul  6 14:29:11 centos16 nrpe[1744]: Server listening on :: port 5666.
Jul  6 14:29:11 centos16 nrpe[1744]: Warning: Daemon is configured to accept command arguments from clients!
Jul  6 14:29:11 centos16 nrpe[1744]: Listening for connections on port 5666
Jul  6 14:29:11 centos16 nrpe[1744]: Allowing connections from: 127.0.0.1,10.25.5.2

 

 

check_nrpe Plugin Certificate

Create The Certificate

This certificate is to be used on the Nagios server by the check_nrpe plugin.  These commands are to be executed on the Nagios server because this is where the certificate authority was created earlier.

cd /usr/local/nagios/etc/ssl/nagios_server_certs/
openssl req -new -newkey rsa:2048 -keyout nagios_server.key -out nagios_server.csr -nodes

 

You will be prompted to type "A challenge password", do not type anything, just press Enter. The example also did not provide anything for "An optional company name". See the following example:

Generating a 2048 bit RSA private key
....................................+++
..................+++
writing new private key to 'nagios_server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Minnesota
Locality Name (eg, city) [Default City]:Saint Paul
Organization Name (eg, company) [Default Company Ltd]:Nagios
Organizational Unit Name (eg, section) []:Monitoring
Common Name (eg, your name or your server's hostname) []:Nagios_Server
Email Address []:email@domain.local

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

 

Next we have to sign this certificate request by our CA.

cd /usr/local/nagios/etc/ssl/
openssl ca -days 365 -notext -md sha256 -keyfile ca/ca_key.pem -cert ca/ca_cert.pem -in nagios_server_certs/nagios_server.csr -out nagios_server_certs/nagios_server.pem

 

You will be prompted for the CA PEM pass phrase that you provided before when creating the Certificate Authority.

You will then be prompted to sign new certificate, answer y twice:

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca/ca_key.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 4097 (0x1001)
        Validity
            Not Before: Jul  6 06:58:34 2016 GMT
            Not After : Jul  6 06:58:34 2017 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Minnesota
            organizationName          = Nagios
            organizationalUnitName    = Monitoring
            commonName                = Nagios_Server
            emailAddress              = email@domain.local
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F5:3C:09:60:EC:18:65:9A:E7:61:FB:39:60:E7:20:59:F9:E4:41:9B
            X509v3 Authority Key Identifier:
                keyid:5A:81:97:96:99:47:19:76:70:24:AB:EC:3B:BE:07:0C:E8:AD:4B:E7

Certificate is to be certified until Jul  6 06:58:34 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

 

The files ca/ca_cert.pem , nagios_server_certs/nagios_server.pem and nagios_server_certs/nagios_server.key will be referenced in the check_nrpe command (covered in the next step).

 

Using Certificates With check_nrpe Plugin

On the nagios server the check_nrpe command needs to reference the certificates in the command line. The remote NRPE client in this example is 10.25.13.34:

/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 10.25.13.34

 

If it all was OK then the result will be something like:

NRPE v3.0

 

You will need to configure your Nagios command / service definitions to use the certificates. Alternatively you can create a check_nrpe config file and reference that in the command line, which can reduce the length of the overall command needing to be coded / typed. This is explained in detail in this KB article:

Documentation - NRPE - v3 check_nrpe Config File

 

 

Configure NRPE Client To Require Certificates

While the check_nrpe plugin is sending a certificate, NRPE v3 does not require a certificate unless you update the NRPE configuration file. At this point the NRPE Client is not enforcing the check_nrpe plugin to send a certificate and hence not providing additional security.

The NRPE client has the following configuration directive in the nagios.cfg file:

ssl_client_certs=

 

The options available are:

Values: 0 = Don't ask for or require client certificates (default)
        1 = Ask for client certificates
         2 = Require client certificates

 

Option 2 will require the check_nrpe plugin to supply a certificate (adding an extra layer of security). Option 1 means that it will ask check_nrpe to supply a certificate, but if it doesn't then it will still continue.

On the NRPE client, edit the file /usr/local/nagios/etc/nrpe.cfg and define the following:

ssl_client_certs=2

You should put them in the SSL section of the file (around line 230).

 

Then you need to restart the NRPE client, this will vary depending on the operating system you are on, some examples of the restart command are:

restart nrpe
service nrpe restart
systemctl restart nrpe.service

 

Going back to the nagios server execute the check_nrpe command again:

/usr/local/nagios/libexec/check_nrpe -A /usr/local/nagios/etc/ssl/ca/ca_cert.pem -C /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.pem -K /usr/local/nagios/etc/ssl/nagios_server_certs/nagios_server.key -H 10.25.13.34

 

If it all was OK then the result will be something like:

NRPE v3.0

 

Here's what happens if you don't supply the certificate:

/usr/local/nagios/libexec/check_nrpe -H 10.25.13.34

 

The result will be something like:

CHECK_NRPE: Error - Could not complete SSL handshake with 10.25.13.34: 1

 

If you would like to confirm if the certificate is being used, you will need to enable additional logging. In the file /usr/local/nagios/etc/nrpe.cfg you will need to add the following line:

ssl_logging=0xff

Then restart the NRPE service. Once restarted you can observe the following log entries in the syslog /var/log/messages file (may vary on your operating system).

When a certificate was used:

Jul  6 17:40:27 centos16 nrpe[1951]: Remote 10.25.5.60 - SSL Version: TLSv1.2
Jul  6 17:40:27 centos16 nrpe[1951]: Remote 10.25.5.60 - TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Jul  6 17:40:27 centos16 nrpe[1951]: SSL Client 10.25.5.60 has a valid certificate
Jul  6 17:40:27 centos16 nrpe[1951]: SSL Client 10.25.5.60 Cert Name: /C=US/ST=Minnesota/O=Nagios/OU=Monitoring/CN=Nagios_Server/emailAddress=email@domain.local
Jul  6 17:40:27 centos16 nrpe[1951]: SSL Client 10.25.5.60 Cert Issuer: /C=US/ST=Minnesota/L=Saint Paul/O=Nagios/OU=Monitoring/CN=CA/emailAddress=email@domain.local

 

When a certificate was not used:

Jul  6 17:39:17 centos16 nrpe[1949]: Error: Could not complete SSL handshake with 10.25.5.60: peer did not return a certificate

 

 

Certificate Arguments Explained

In the examples above you were walked through the process of creating certificates, defining them in nrpe.cfg and the check_nrpe command line arguments. A clear explanation of the files are as follows:

NRPE Client

Directive Explanation
ssl_cert_file= The certificate that the NRPE Client uses to provide encryption
ssl_privatekey_file= The corresponding key file for ssl_cert_file=
ssl_cacert_file= The certificate authority file that the NRPE Client uses to validate the certificate provided by the check_nrpe plugin

 

check_nrpe Plugin

Directive Explanation
-C <clientcert> The certificate that the check_nrpe plugin submits to the NRPE Client to prove it's validity
-K <key> The corresponding key file for -C <clientcert>
-A <ca-certificate> The certificate authority file that the check_nrpe plugin uses to validate the certificate provided by the NRPE Client for encryption

 

When you are using the same CA to issue the check_nrpe plugin and NRPE client certificates it is very straight forward to configure and use.

However when you use separate CA's to issue the check_nrpe plugin and NRPE client certificates, the CA certificates must be placed in the following manner:

  • check_nrpe plugin

    • The CA certificate referenced by -A <ca-certificate> must the CA certificate that issued the NRPE client certificate
  • NRPE Client

    • The CA certificate referenced by ssl_cacert_file= must the CA certificate that issued the check_nrpe plugin certificate

 

 

SSL/TLS Version and Ciphers

There are arguments that allow the check_npre plugin (command line arguments) and the NRPE client (nrpe.cfg) to define what SSL/TLS version and ciphers are allowed to be used. The strongest method that is negotiated between the plugin and the client will determine what will be used.

 

check_npre Plugin NRPE Client Default Used
-S <ssl version> ssl_version= TLSv1+
-L <cipherlist> ssl_cipher_list= ALL:!MD5:@STRENGTH

 

This is quite a complicated topic, if you would like to understand more about this please refer to the OpenSSL documentation:

Documentation - SSL / TLS

Documentation - OpenSSL ciphers

 

 

Final Thoughts

For any support related questions please visit the Nagios Support Forums at:

http://support.nagios.com/forum/

5 (3)
Article Rating (3 Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
Nagios XI - Using NSClient++ For Passive Checks
Viewed 980 times since Thu, Jan 14, 2016
NRPE - Upgrading To NRPE v3 From Source
Viewed 7390 times since Mon, Jul 11, 2016
Nagios XI - How To Monitor Apache ActiveMQ With Nagios XI
Viewed 8274 times since Wed, Jan 27, 2016
Nagios XI - Monitoring Windows Using NSClient++
Viewed 1786 times since Wed, Jan 27, 2016
NRPE - How To Install NRPE v3 From Source
Viewed 62518 times since Fri, Jun 3, 2016
Nagios XI - Upgrading The Linux NRPE Agent
Viewed 220 times since Wed, Aug 30, 2017
Nagios XI - Using Scripts / Plugins With NSClient++
Viewed 5855 times since Wed, Jul 27, 2016
Nagios XI - Mass Deploy NSClient++
Viewed 1226 times since Thu, Jan 14, 2016
Nagios XI - Installing The Solaris Agent
Viewed 2054 times since Wed, Jan 27, 2016
Nagios XI - How To Check For Windows Updates With Nagios XI
Viewed 1017 times since Wed, Jan 27, 2016