nrpe on Microsoft machines
Michael Tucker
mtucker at airmail.net
Fri Jan 16 21:54:08 CET 2004
On Friday, January 16, 2004, at 02:08 PM, Neil wrote:
> It's me again. I have question about security in NRPE service on
> windows machines. Nagios is getting good visibility in where I work.
> But their concern is that it's opensource. What can you say guys about
> NRPE service? What's the best way of protecting it? The reason I am
> asking this is because, nagios will be monitoring production servers.
Under Unix, nrpe can be run under inetd; so you have the benefit of tcp
wrappers to improve security (a little). In theory, you also have SSL
security available, which would be very nice; but in practice, I have
been unable to get that to work (for Solaris 9).
Under Windows, I have to leave that answer to someone else. :-)
> And also, rstatd on solaris. Our solaris are in production too. What
> can you say about security issues in rstatd if there are? Are there
> any other alternatives to monitor solaris cpu, disk, etc?
> Thanks guys for your help.
> neil
>
As of 1997, there was a well-documented vulnerability in statd/rstatd
(see CERT ®Advisory CA-97.26.statd,
<http://www.cert.org/advisories/CA-97.26.statd.html>, "Buffer Overrun
Vulnerability in statd(1M) Program"). But there have been effective
patches that solve that problem since 1999. If your Solaris machines
are up to date on their patches, don't think you should have a problem
with that particular vulnerability.
Of course, any time you have a machine with RPC services (such as
rstatd) exposed to the Internet, you face a certain amount of risk. My
advice is to shelter your production servers behind a good firewall.
Don't allow the Internet to "see" their RPC service ports. Only allow a
server running Nagios *behind* the firewall to access those machines.
If it must report to a Nagios server outside the firewall, you can do
so via nsca (which has some nice encryption schemes available to it,
including Blowfish and 3DES). At worst, the Nagios distributed server
is the "sacrificial goat" that is visible to the Internet, and
therefore subject to being hacked. Your production machines should be
relatively secure in such a configuration.
I am using check_disk, check_users, etc., locally on a monitored
Solaris host; using nrpe and check_nrpe to collect the results on a
distributed Nagios server on that host's LAN (which does checks, but
not notifications); and using nsca and send_nsca to pass the results to
a central Nagios server, which does notifications, etc., but no active
checks (only passive service checks).
Obviously, you have to be the final judge of your own security policies
and how they are implemented, but personally, I feel pretty secure with
such a setup. Your mileage may vary.
Yours,
Michael
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list