world viewable
Mike McClure
mmcclure at pneservices.com
Tue Oct 7 23:32:54 CEST 2003
> We've been using IP based authentication with nagios, instead of
> passworded access. In the beginning it was easier, but DHCP is making
> this a pain.
Not to mention that stealing an IP address is extremely simple.
> I've been asked to:
>
> 1) Switch to passworded access. Can this be done over ssl/tls?
Generally, yes, but it really depends on the HTTP server you are using. Apache is
fully capable of such a configuration. The SSL/TLS protocol is exclusive of the
HTTP authentication protocol.
> 2) Make our nagios visible to anyone on the web. Are there security
> risks involved with this?
Of course. There are always risks with making any system accessible on a public
network like the Internet.
> "admin risks" involved with endusers being
> able to see what's up and what's down?
A big part of attacking a network is reconnaissance. The more information you
provide to an attacker, the easier you make their "task".
> We entirely drive our nagios
> configs by a locally-written set of CGI scripts - is there a way to make
> the entire web interface readonly?
Yes. Don't allow access to any CGI scripts which can change the state of the
system. The method for doing so depends on your HTTP server.
> Are there other things I should
> watch out for in this security transition?
Policies, policies, policies. If you don't clearly define them, you are just
guessing, and that's not good.
Also, if you're worried about security, use a highly secure platform like OpenBSD or
SE Linux. And don't enable services on it that you don't need.
>
> TIA.
>
> --
> Dan Stromberg DCS/NACS/UCI <strombrg at dcs.nac.uci.edu>
>
>
--
Mike McClure, CCIE # 5125, CISSP # 30232
PNE Services, Inc. - http://www.pneservices.com
mmcclure [at] pneservices [dot] com
mobile: 913-636-5590
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list