check_by_ssh question
Andreas Ericsson
ae at op5.se
Sat Mar 27 20:35:01 CET 2004
Peter Gutmann wrote:
> Why no I have not been following the thread from the beginning of time.
> Having just started getting Nagios setup here to watch some our trading
> applications. I joined the mailing list within the last few days to learn
> a bit more about Nagios from other people that are using it.
>
You can read erlier postings on the thread in the archives.
> The security of a network is not obtained by any single action. However,
> it is obtained by understanding the needs of the applications and the
> environment that the applications live in, and when it is done best it
> looks a lot like an onion. The best way to look at it, is to have defense
> in depth and not to rely on a single method of protecting yourself. This
> is where you have a number of different methods of protecting yourself and
> watching what is going on. The goal would be to have all of the pieces to
> work together to tell you when something goes wrong. While you are still
> in a position to do something about it.
>
Thank you for reciting the opening paragraph of the latest 'security
consciousness' lecture you went to. Seems like something a CEO would
like to hear the companys money was spent on, while none but the very
freshest administrators would learn anything form it.
> While I STILL don't know anything about what you are looking to protect
> (other than you are concerned about Nagios being open) or the environment
> that it lives in. So, I am, to some extent just guessing about what you
> are looking to accomplish and how much you are willing to put into it. If
> you are an ISP, that is a wholly different problem than protecting a
> trading floor, or protecting the network in the corner grocery. So, there
> are a number of layers to this onion called trust.
>
More smoke from the bag. General security discussions are held on
bugtraq, vuln-dev et al.
> I am suggesting that you implement a screening routers that LOG unusual
> events as an ADDITION to all of the usual things for you environment.
> While I KNOW that this is not the whole answer, my reading of your e-mail
> was that you were looking for an application (even if you cover it with
> SSL) that does no authentication to tell you about problems. Perhaps I was
> wrong.
>
Yes, you were. We're discussing the specific dangers of running
check_by_ssh on a large number of hosts from the nagios server.
On a side-note; Suggest all you want, but please read the backlogs in
the mail-archives first.
> Snort or another NDIS tool can watch the number of packets per unit time
> between hosts and flag ABOVE and below the threshold. In addition,
> trapping and logging ALL connection attempts and failed logins.
Network intrusion detection systems have been brought up and quite
firmly put down (from this discussion, that is), seeing as all they can
really do is let you know what went wrong, and when. We're looking to
prevent it from happening in the first place.
> BTW: Have
> you looked at IP/SEC? that is a way of authenticating (at a hardware
> level) a level of trust between machines
>
IP/SEC faces the same problems as running SSH with public / private
keypairs (well, similar anyways). You can't allow one thing and disallow
another in a matter which is non-exploitable, seeing as the monitoring
process needs access rights enough to run applications on the remote host.
All it would really do is to add another layer of encryption, which
actually might lessen security rather than tighten it (consider CBC vs CFB).
> Peter
> ----
> Peter Gutmann
> Peter.Gutmann at db.com
>
>
--
Mvh / Best Regards
Sourcerer / Andreas Ericsson
OP5 AB
+46 (0)733 709032
andreas.ericsson at op5.se
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list