View FAQ

[ Return To FAQ Index | Search The FAQs ]


FAQ Database : Addons : NRPE

Title:How do I use TCP wrappers with the NRPE addon?
FAQ ID:F0101
Submitted By:Sean Knox 
Last Updated:04/25/2006

Description:How do I use TCP Wrappers with the NRPE addon for added security? 

Solution:

HOWTO: NRPE + TCP WRAPPERS

TCP wrappers allows you to restrict access to services by hostname and IP addresses. In addition, you can use TCP wrappers for logging access to services via syslog or spawn shell commands in response to certain types of access. A good primer on TCP Wrappers can be found here:

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-tcpwrappers.html

Using TCP Wrappers requires that nrpe be run from inetd. This document assumes a.) inetd is compiled with TCP Wrapper support and b.) nrpe is currently installed and working. Both of these items are outside the scope of this FAQ. However, you can rest assured that most modern Linux and BSD distros have inetd+TCP wrapper functionality ready to go out of the box. Check out the README file that comes with nrpe to get a basic configuration working.

On the clients (the servers Nagios will check via NRPE)

1. Configure nrpe.cfg

Since we're running nrpe from inetd, most of the configuration file is ignored. No change in existing nrpe installations is necessary. The only portion that is used is the command definition section. Use the commands already defined or define your own.

2. Modify /etc/services

This file will designate the port nrpe will listen on. Add an entry like so:

nrpe            9000/tcp                        # nrpe daemon

3. Add an entry for NRPE in /etc/inetd

nrpe    stream  tcp     nowait  nagios /usr/sbin/tcpd /usr/local/nagios/nrpe -c /usr/local/nagios/nrpe.cfg --inetd

Be sure that a.) user "nagios" exists, b.) the nrpe daemon is in /usr/local/nagios and c.) nrpe.cfg is located in /usr/local/nagios. Obviously if your installation differs, modify as necessary.

4. Modify /etc/hosts.allow and /etc/hosts.deny

Now itís time to use TCP Wrappers to restrict access to nrpe.

First give access to your Nagios station(s) in /etc/hosts.allow:

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5), hosts_options(5)
#                   and /usr/doc/netbase/portmapper.txt.gz
#
nrpe: LOCAL, 192.168.3.1, nagios.foobar.com

Restrict access to all other hosts in /etc/hosts.deny:

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5), hosts_options(5)
#                  and /usr/doc/netbase/portmapper.txt.gz
nrpe: ALL

5. Kill any running nrpe processes and restart inetd

mr.monitor:/usr/local/nagios/libexec# killall nrpe
mr.monitor:/usr/local/nagios/libexec# killall ĖHUP inetd

6. Make sure nrpe is listening

mr.monitor:/usr/local/nagios/libexec# netstat -pta

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 *:ssh                   *:*                     LISTEN      15889/sshd         
tcp        0      0 *:nrpe                  *:*                     LISTEN      20519/inetd
---snip---

If you configured everything correctly, you should see nrpe listening. To troubleshoot, try telneting to your nrpe port from a remote box. If you receive "connection refused by host", make sure nrpe is actually listening on the port.

This should do it- good luck!

Please write with any comments or corrections to sean.knox@sbcglobal.net.

 

Keywords:nrpe security tcp wrappers