nrpe and nrpe_nt development

Stephen Strudwick sas at pipex.net
Thu Dec 18 17:34:29 CET 2003


> This also goes back to whether you are allowing check_nrpe to execute argument$
> For security we don't we only allow defined checks to run with no arguments and
> most agree that is the safer option. If there is a feeling that the server
> should be authenticated by the clients using a cert then that is something I
> can work on putting in place without much heartache and we would just need to
> automate the creation of self signed certs in the make process to simplify the
> procedure.

When we have run netsaint in the past with nrpep we had command line
arguements, but I planned to stop doing this with nagios mainly because I
thought it wes unecessary complication as well as a security risk.

We do need more security than the basic IP checks here at pipex because we
cant be sure our servers will have tcp wrappers on them (mainly NT is the
problem here) or be behind a firewall.

we have to be as sure as we can (to the poiht of maybe being too zealous)
that the servers are not compromised in any way.

> If there is a feeling that the server
> should be authenticated by the clients using a cert then that is something I
> can work on putting in place without much heartache and we would just need to
> automate the creation of self signed certs in the make process to simplify the
> procedure.

something like this would be really good, if you point me in the right
direction im willing to code something over xmas, because im working to a
early jan deadline :(

I really want to make sure whatever is done is accepted into the code base
so that our operations people can always download the latest version from
the site and not use a hacked about version that instantly becomes
static in development.

-
Stephen Strudwick
Advanced Development Engineer
Development Group, Product Development
PIPEX Communications
http://www.pipexcommunications.net/

Mobile: 07906 191256
Direct: 020 8957 1217

On Thu, 18 Dec 2003, local.coder wrote:

>
> Stephen,
>
> When coding in the encyrption the idea was to secure the data between the nagios
> server and the remote client. The use of passwords and other options were
> specifically removed to keep out problems with plaintext password management
> and other fun. This is meant as a data protection scheme only and not an
> authentication scheme. The IP Address restriction for us is enough to limit
> remote hosts. With some minor changes the openssl part could be setup to use
> pre-shared certs but when talking with others that went to a level of
> complexity that seemed overwhelming for large server bases and updates. I
> originally was working with the blowfish encryption but at Ethan's and plugin
> people's request moved to openssl since it is already included in other plugins
> as a requirement and there was a concern to keep external requirements to a
> minimum if possible.
>
> This also goes back to whether you are allowing check_nrpe to execute arguments.
> For security we don't we only allow defined checks to run with no arguments and
> most agree that is the safer option. If there is a feeling that the server
> should be authenticated by the clients using a cert then that is something I
> can work on putting in place without much heartache and we would just need to
> automate the creation of self signed certs in the make process to simplify the
> procedure.
>
> Like I say I didn't want to have static passwords in the config files for
> authentication because to me that gave a false sense of bad security.
>
> Derrick
>
>
> Quoting Stephen Strudwick <sas at pipex.net>:
>
> >
> > I also forgot to add that I've written a load of plugins for nrpe_nt in C
> > such as check disk, eventlog, cpu load, mem load, services etc.
> >
> > I will release the source and binaries as soon as we have finished testing
> > on them.
> >
> > -
> > Stephen Strudwick
> > Advanced Development Engineer
> > Development Group, Product Development
> > PIPEX Communications
> > http://www.pipexcommunications.net/
> >
> > Mobile: 07906 191256
> > Direct: 020 8957 1217
> >
> > On Thu, 18 Dec 2003, Stephen Strudwick wrote:
> >
> > > hello all,
> > >
> > > This is my first post to this list and I want to ask some questions
> > > about my company (Pipex) doing some development for nrpe and nrpe_nt.
> > >
> > > We have been using netsaint for a while and are upgrading to nagios and
> > > have decided to use nrpe for nt and unix boxes.
> > >
> > > I noticed the encryption using openssl is not really that secure, as far
> > > as I can tell it only encrypts the session between the client and server
> > > and dosnt stop anyone else with the nrpe client querying the server.
> > >
> > > The only protection the demon has as far as I can tell is the IP
> > > restrictions.
> > >
> > > We have some internal code we have been using for several years here that
> > > provides Blowfish encryption using shared keys, username pass
> > > authentication and all kinds of handshaking and security.
> > >
> > > The code is in C, and we have modules for *nix and NT.
> > >
> > > we also have an implementation as a Perl module (with C backend code).
> > >
> > > I would like to add this code to nrpe as a compile time option (say
> > > --use-blowfish on ./configure).
> > >
> > > And also to the NT version.
> > >
> > > If I add this code I would like if possible to be integrated into the
> > > current releases of nrpe so we dont create a static fork inside our
> > > company).
> > >
> > > Basically im looking for feedback as to whether this is neccessary/right
> > > thing to do, or have I misunderstood the openssl encryption.
> > >
> > > I envisage the shared key encryption working like nrpep with a -s
> > > <secret> option being used for a secret on the nagios server.
> > >
> > > Thanks in advance for any feedback.
> > >
> > > -
> > > Stephen Strudwick
> > > Advanced Development Engineer
> > > Development Group, Product Development
> > > PIPEX Communications
> > > http://www.pipexcommunications.net/
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: IBM Linux Tutorials.
> > > Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> > > Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> > > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > > _______________________________________________
> > > Nagios-devel mailing list
> > > Nagios-devel at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nagios-devel
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.net email is sponsored by: IBM Linux Tutorials.
> > Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> > Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> > Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> > _______________________________________________
> > Nagios-devel mailing list
> > Nagios-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-devel
> >
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> _______________________________________________
> Nagios-devel mailing list
> Nagios-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-devel
>



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click




More information about the Developers mailing list