HOWTO: NRPE+TCP Wrappers

Sean Knox sean.knox at sbcglobal.net
Wed Oct 30 09:55:38 CET 2002


Hi all, I wrote a quick howto for nrpe+tcp wrappers. I submitted it to 
Ethan and it will hopefully show up at www.nagios.org/faqs soon. Take a 
look and inform me of any errors contained. Thanks!

Thanks,
Sean

-----------------------------------------------

HOWTO: NRPE + TCP WRAPPERS

TCP wrappers allows you to restrict access to services by hostname and 
IP addresses. In addition, you can use TCP wrappers for logging access 
to services via syslog or spawn shell commands in response to certain 
types of access. A good primer on TCP Wrappers can be found here:

http://www.redhat.com/docs/manuals/linux/RHL-7.3-Manual/ref-guide/ch-tcpwrappers.html

Using TCP Wrappers requires that nrpe be run from inetd. This document 
assumes a.) inetd is compiled with TCP Wrapper support and b.) nrpe is 
currently installed and working. Both of these items are outside the 
scope of this FAQ. However, you can rest assured that most modern Linux 
and BSD distros have inetd+TCP wrapper functionality ready to go out of 
the box. Check out the README file that comes with nrpe to get a basic 
configuration working.

On the clients (the servers Nagios will check via NRPE)

1. Configure nrpe.cfg

Since we're running nrpe from inetd, most of the configuration file is 
ignored. No change in existing nrpe installations is necessary. The only 
portion that is used is the command definition section. Use the commands 
already defined or define your own.

2. Modify /etc/services

This file will designate the port nrpe will listen on. Add an entry like so:

nrpe 9000/tcp # nrpe daemon


3. Add an entry for NRPE in /etc/inetd

nrpe stream tcp nowait nagios /usr/sbin/tcpd /usr/local/nagios/nrpe -i 
/usr/local/nagios/nrpe.cfg

Be sure that a.) user "nagios" exists, b.) the nrpe daemon is in 
/usr/local/nagios and c.) nrpe.cfg is located in /usr/local/nagios. 
Obviously if your installation differs, modify as necessary.

4. Modify /etc/hosts.allow and /etc/hosts.deny

Now it’s time to use TCP Wrappers to restrict access to nrpe.

First give access to your Nagios station(s) in /etc/hosts.allow:

# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
#
nrpe: LOCAL, 192.168.3.1, nagios.foobar.com

Restrict access to all other hosts in /etc/hosts.deny:

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the 
system.
# See the manual pages hosts_access(5), hosts_options(5)
# and /usr/doc/netbase/portmapper.txt.gz
nrpe: ALL

5. Kill any running nrpe processes and restart inetd
mr.monitor:/usr/local/nagios/libexec# killall nrpe
mr.monitor:/usr/local/nagios/libexec# killall –HUP inetd

6. Make sure nrpe is listening

mr.monitor:/usr/local/nagios/libexec# netstat -pta

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 15889/sshd
tcp 0 0 *:nrpe *:* LISTEN 20519/inetd
---snip---

If you configured everything correctly, you should see nrpe listening. 
To troubleshoot, try telneting to your nrpe port from a remote box. If 
you receive "connection refused by host", make sure nrpe is actually 
listening on the port.

This should do it- good luck!

Please write with any comments or corrections to sean.knox at sbcglobal.net.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf




More information about the Users mailing list