HOWTO: NRPE+TCP Wrappers
Sean Knox
sean.knox at sbcglobal.net
Wed Oct 30 09:55:38 CET 2002
Hi all, I wrote a quick howto for nrpe+tcp wrappers. I submitted it to
Ethan and it will hopefully show up at www.nagios.org/faqs soon. Take a
look and inform me of any errors contained. Thanks!
Thanks,
Sean
-----------------------------------------------
HOWTO: NRPE + TCP WRAPPERS
TCP wrappers allows you to restrict access to services by hostname and
IP addresses. In addition, you can use TCP wrappers for logging access
to services via syslog or spawn shell commands in response to certain
types of access. A good primer on TCP Wrappers can be found here:
http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-tcpwrappers.html
Using TCP Wrappers requires that nrpe be run from inetd. This document
assumes a.) inetd is compiled with TCP Wrapper support and b.) nrpe is
currently installed and working. Both of these items are outside the
scope of this FAQ. However, you can rest assured that most modern Linux
and BSD distros have inetd+TCP wrapper functionality ready to go out of
the box. Check out the README file that comes with nrpe to get a basic
configuration working.
On the clients (the servers Nagios will check via NRPE)
1. Configure nrpe.cfg
Since we're running nrpe from inetd, most of the configuration file is
ignored. No change in existing nrpe installations is necessary. The only
portion that is used is the command definition section. Use the commands
already defined or define your own.
2. Modify /etc/services
This file will designate the port nrpe will listen on. Add an entry like so:
nrpe 9000/tcp # nrpe daemon
3. Add an entry for NRPE in /etc/inetd
nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/local/nagios/nrpe -i
/usr/local/nagios/nrpe.cfg
Be sure that a.) user "nagios" exists, b.) the nrpe daemon is in
/usr/local/nagios and c.) nrpe.cfg is located in /usr/local/nagios.
Obviously if your installation differs, modify as necessary.
4. Modify /etc/hosts.allow and /etc/hosts.deny
Now it’s time to use TCP Wrappers to restrict access to nrpe.
First give access to your Nagios station(s) in /etc/hosts.allow:
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
nrpe: LOCAL, 192.168.3.1, nagios.foobar.com
Restrict access to all other hosts in /etc/hosts.deny:
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the
system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
nrpe: ALL
5. Kill any running nrpe processes and restart inetd
mr.monitor:/usr/local/nagios/libexec# killall nrpe
mr.monitor:/usr/local/nagios/libexec# killall –HUP inetd
6. Make sure nrpe is listening
mr.monitor:/usr/local/nagios/libexec# netstat -pta
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 15889/sshd
tcp 0 0 *:nrpe *:* LISTEN 20519/inetd
---snip---
If you configured everything correctly, you should see nrpe listening.
To troubleshoot, try telneting to your nrpe port from a remote box. If
you receive "connection refused by host", make sure nrpe is actually
listening on the port.
This should do it- good luck!
Please write with any comments or corrections to sean.knox at sbcglobal.net.
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
More information about the Users
mailing list