NRPE/NSCA replacement thoughts?

Kevin Keane subscription at kkeane.com
Fri Feb 19 13:42:41 CET 2010


> -----Original Message-----
> From: Michael Schwartzkopff [mailto:misch at multinet.de]
> 
> Am Freitag, 19. Februar 2010 11:58:45 schrieb Flyinvap:
> > Le Fri, 19 Feb 2010 11:28:25 +0100,
> >
> > Michael Schwartzkopff <misch at multinet.de> a écrit :
> > > - SNMPv1 is quite secure if you use ACLs.
> >
> > Quite secure ? With UDP (spoofing) and a community not encrypted ?
> > SNMP : Security Not My Problem ;-)
> 
> OK. With ip spoofing you cen send packages. But if you do not the
> routing back you will never receive the answer. So what.

You could make that argument about all IP spoofing. Yet it is one of the more popular hacker tools. Mostly because many types of hack don't require the answer. Either the answer is well known or easily guessable (such as the prompts in the SMTP protocol, for instance), or the mischief happens by the spoofed packet.

With UDP the problem is compounded because there is no need to even try to establish a connection. Just send your spoofed packet complete with payload and all.

Right off the bat, I can think of three ways to use that quite nefariously.

1) Denial of service. Simply send so many bogus SNMP packets to a Nagios server that it gets overloaded and stops handling the real check results.
2) Denial of service. Send malformed SNMP packets that crash Nagios. Are you sure that there is no buffer overflow in Nagios? Anywhere?
3) Perform an attack on a monitored server and send spoofed "I am healthy" SNMP messages to Nagios while the server in reality is down. What messages to send is easy to find out by plain network monitoring, since SNMP is not encrypted.

And the more powerful the protocol is, the greater the risk. Which goes totally counter to the idea of "NRPE or NSCA is not enough".

> > > - SNMPv3 should not be any problem for any recent hardware.
> >
> > Yes, but it uses more resources than NRPE so you can probably check
> less
> > services.
> 
> That's why I use SNMPv1 with ACLs.

... which is a proprietary extension.


------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list