Steven 1/ When compiling nrpe make sure you include SSL and disable command args.
2/ I start nrpe standalone and use the line allowed_hosts=xx.xx.xx.xx (your Nagios server IP) in the config file. If you start nrpe w. inetd you can use inetd's access control, or tcp wrappers. 3/ Accessing from outside requires opening up a port on the firewall - make sure you restrict the from address just to those systems that will have legitimate access. 4/ In the nrpe config file make sure you set dont_blame_nrpe=0 just in case you forgot to disable command args at compile time 5/ The command definitions section of nrpe.cfg will look like this... command[check_sda1]=/usr/local/nagios/libexec/check_disk -w 20 -c 10 -p /dev/sda1 Note the parameters to check_disk are hard coded into the file, not passed as arguments from the Nagios host. This is the bit that makes this approach hard work. If you have two internal SMTP servers you will have to have two separate check_smtp entries, each with the host address of the target machines hard wired. This means you will also need to configure both checks separately on the Nagios host. The important thing is that, should an attacker get passed the access control, they can't do much other than read the output of a test (though a DoS attack is possible). They do not have the opportunity to manipulate the tests by passing malformed parameters. Regards Keith Steven Sher wrote: > Hi Keith > > You wouldn't happen to have the installation documented or a mini how-to? :) > > Steve > > > -----Original Message----- > From: Keith Coles [mailto:k...@trivas.co.uk] > Sent: 24 February 2009 11:30 PM > To: efw-user@lists.sourceforge.net > Subject: Re: [Efw-user] What aer your thoughts about running Nagios NRPE > daemon on Endain? > > Steven > > I run a couple of Endian installations with NRPE installed. > > I try to make sure its secure as possible by > - making sure it uses SSL for communication with the Nagios host. > - make sure the nagios hosts allowed to connect is kept to a strictly > controlled list > - configure NRPE to *not* accept externally provided parameters - this > can be a bit inconvenient with a large number of internal servers but > this is likely to be the weakest part of NRPE. > > You're right to be concerned - any open port is a possible weakness in a > firewall but the overall resilience of the infrastructure as a whole can > only be improved by continually monitoring it. > > As an aside, I prefer to use OpsView rather than "raw" Nagios - it has a > much better admin interface and includes some graphing as standard. I > also like to use SmokePing to keep and eye on teh network. > > Regards > > Keith > > ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Efw-user mailing list Efw-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/efw-user
