Re: [Nagios-users] NRPE vs. check_by_ssh
Kevin Keane wrote: Andreas Ericsson wrote: Kevin Keane wrote: Christopher McAtackney wrote: 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. No, you are right. I wasn't aware that NRPE could use SSL. In that case, NRPE would be pretty much the same in terms of performance as SSL. That said, I am generally concerned from a security standpoint about any kind of active checks going over the Internet. This is because if you are monitoring, in your example, 200 hosts, you have to poke holes into 200 firewalls (or into one firewall, and then set up SSL or SSH keys on 200 hosts). That's 200 potential security holes all over the place with little or no control, and on machines that may not necessarily be hardened for access from the outside world. Worse - active checks, by nature, cause a program to be launched and executed on the monitored client, and usually with very high permissions. You said that you check 2000 services, so that's 2000 plugins (give or take a few). What if a hacker found a way to compromise one of your 2000 plugins? You'd have a privilege escalation issue along with remote-launch capability. On 200 clients. Very high permissions are normally not needed. Depends on the plugin, but I'm not sure that this is generally true. For instance, something as simple as log file analysis either requires root permission on Linux; log files aren't readable by anybody else, or it requires that you relax file permissions or security somewhere else. If you do the insane version of log analysis, yes. A sane setup is to have filters trigger on certain patterns and have the filtering program log its results somewhere that Nagios can read. The actual logs need never (and should never) be readable by the Nagios user. On Windows, I'm running my monitoring agent (by default) as the Local System account (most Windows services do that anyway). That has basically full access to everything, but nothing on the network. Well, Windows is an aberration wrt privilege separation and that's not going to change in the near future because privilege separation makes things hard for home users. I'm sure you can create limited accounts under Windows too though. Otherwise I doubt any security- minded organization would use it. Of course check_ping, check_tcp etc. don't usually need such high permissions. check_ping actually requires root permissions on most systems. Or rather, the program doing the actual pinging does, since it has to open a raw socket. I prefer using NRPE because of two reasons: 1. It provides a rather simple way of specifying exactly which commands can be run, and with which arguments (don't enable argument parsing in nrpe if the receiving end isn't duly protected by firewalls etc) 2. If someone breaks into the Nagios server, he or she does not get the public keys required for running
Re: [Nagios-users] NRPE vs. check_by_ssh
Charlie Reddington wrote: +1 on the control master. We have about 1000 checks over 300 hosts and using control master made the box much more stable and quite frankly usable. Saved a lot of plug in time outs as well. Think about 1000 checks every 5 or 10 minutes. That's 1000 encrypted tunnels that are going up and down. That's a lot of overhead for a quick check, let along if your server is checking say 5 or 10 things back to back. http://www.torchbox.com/blog/ssh_tips_2.html Charlie Charlie, Sounded interesting so I gave this a try on our test environment, with the following config: Host * ControlMaster auto ControlPath ~/.ssh/master...@%h:%p Initially, all looked well, but then we started to see these: Remote command execution failed: Control socket connect(/var/log/nagios/.ssh/master-r...@192.168.100.100:22): Connection refused So you see this as well in your environment? Best Regards, Camron Camron W. Fox Hilo Office High Performance Computing Group Fujitsu Management Services of America, Inc. E-mail: cw...@us.fujitsu.com -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Kevin Keane wrote: Christopher McAtackney wrote: 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. No, you are right. I wasn't aware that NRPE could use SSL. In that case, NRPE would be pretty much the same in terms of performance as SSL. That said, I am generally concerned from a security standpoint about any kind of active checks going over the Internet. This is because if you are monitoring, in your example, 200 hosts, you have to poke holes into 200 firewalls (or into one firewall, and then set up SSL or SSH keys on 200 hosts). That's 200 potential security holes all over the place with little or no control, and on machines that may not necessarily be hardened for access from the outside world. Worse - active checks, by nature, cause a program to be launched and executed on the monitored client, and usually with very high permissions. You said that you check 2000 services, so that's 2000 plugins (give or take a few). What if a hacker found a way to compromise one of your 2000 plugins? You'd have a privilege escalation issue along with remote-launch capability. On 200 clients. Very high permissions are normally not needed. I prefer using NRPE because of two reasons: 1. It provides a rather simple way of specifying exactly which commands can be run, and with which arguments (don't enable argument parsing in nrpe if the receiving end isn't duly protected by firewalls etc) 2. If someone breaks into the Nagios server, he or she does not get the public keys required for running commands on the remote servers. Because of these concerns, I am using passive checks almost exclusively over the Internet (except for publicly available services such as HTTP or SMTP, of course); I wrote an agent that resides on the client as a wrapper around the excellent NSClient++ and performs the actual checks. It then forwards the checks to the Nagios server via NSCA over HTTPS. A second benefit is that this agent collects about 40 or so check results, and then sends all of them at once through a single SSL connection. That reduces the overhead of establishing a secure connection by a factor of 40. BTW, the agent is available as Open Source. Go to http://www.tntmonitoring.com . Sounds like a rather neat solution, although I suppose it has to be configured in both ends before it's actually useful (although all other agents require some configuration anyways, so perhaps it's not such a big deal). I'm not too fond of relinquishing the re-check logic of Nagios though, but I guess you can't get everything. -- Andreas Ericsson andreas.erics...@op5.se OP5 AB www.op5.se Tel: +46 8-230225 Fax: +46 8-230231 Considering the successes of the wars on alcohol, poverty, drugs and terror, I think we should give some serious thought to declaring war on peace.
Re: [Nagios-users] NRPE vs. check_by_ssh
Andreas Ericsson wrote: Kevin Keane wrote: Christopher McAtackney wrote: 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. No, you are right. I wasn't aware that NRPE could use SSL. In that case, NRPE would be pretty much the same in terms of performance as SSL. That said, I am generally concerned from a security standpoint about any kind of active checks going over the Internet. This is because if you are monitoring, in your example, 200 hosts, you have to poke holes into 200 firewalls (or into one firewall, and then set up SSL or SSH keys on 200 hosts). That's 200 potential security holes all over the place with little or no control, and on machines that may not necessarily be hardened for access from the outside world. Worse - active checks, by nature, cause a program to be launched and executed on the monitored client, and usually with very high permissions. You said that you check 2000 services, so that's 2000 plugins (give or take a few). What if a hacker found a way to compromise one of your 2000 plugins? You'd have a privilege escalation issue along with remote-launch capability. On 200 clients. Very high permissions are normally not needed. Depends on the plugin, but I'm not sure that this is generally true. For instance, something as simple as log file analysis either requires root permission on Linux; log files aren't readable by anybody else, or it requires that you relax file permissions or security somewhere else. On Windows, I'm running my monitoring agent (by default) as the Local System account (most Windows services do that anyway). That has basically full access to everything, but nothing on the network. Of course check_ping, check_tcp etc. don't usually need such high permissions. I prefer using NRPE because of two reasons: 1. It provides a rather simple way of specifying exactly which commands can be run, and with which arguments (don't enable argument parsing in nrpe if the receiving end isn't duly protected by firewalls etc) 2. If someone breaks into the Nagios server, he or she does not get the public keys required for running commands on the remote servers. Can you explain that second statement? I'm not sure I follow what you are trying to say here. Why would getting public keys be a bad thing? They are, by definition, freely available anyway. Because of these concerns, I am using passive checks almost exclusively over the Internet (except for publicly available services such as HTTP or SMTP, of course); I wrote an agent that resides on the client as a wrapper around the excellent NSClient++ and performs the actual checks. It then forwards the checks to the Nagios server via NSCA over HTTPS. A second benefit is that this agent collects about 40 or so check results, and then sends all of them at once through a single SSL connection. That reduces the overhead
Re: [Nagios-users] NRPE vs. check_by_ssh
On Mar 26, 2009, at 11:05 AM, Kevin Keane wrote: Andreas Ericsson wrote: Kevin Keane wrote: Christopher McAtackney wrote: 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five- minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router- based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. No, you are right. I wasn't aware that NRPE could use SSL. In that case, NRPE would be pretty much the same in terms of performance as SSL. That said, I am generally concerned from a security standpoint about any kind of active checks going over the Internet. This is because if you are monitoring, in your example, 200 hosts, you have to poke holes into 200 firewalls (or into one firewall, and then set up SSL or SSH keys on 200 hosts). That's 200 potential security holes all over the place with little or no control, and on machines that may not necessarily be hardened for access from the outside world. Worse - active checks, by nature, cause a program to be launched and executed on the monitored client, and usually with very high permissions. You said that you check 2000 services, so that's 2000 plugins (give or take a few). What if a hacker found a way to compromise one of your 2000 plugins? You'd have a privilege escalation issue along with remote-launch capability. On 200 clients. Very high permissions are normally not needed. Depends on the plugin, but I'm not sure that this is generally true. For instance, something as simple as log file analysis either requires root permission on Linux; log files aren't readable by anybody else, or it requires that you relax file permissions or security somewhere else. On Windows, I'm running my monitoring agent (by default) as the Local System account (most Windows services do that anyway). That has basically full access to everything, but nothing on the network. My nagios user only checks basic system stuff, and I haven't run into a permission error situation yet, and I check the following by default - load, users, disk, swap, memory, processes, databases, raid. Of course check_ping, check_tcp etc. don't usually need such high permissions. I prefer using NRPE because of two reasons: 1. It provides a rather simple way of specifying exactly which commands can be run, and with which arguments (don't enable argument parsing in nrpe if the receiving end isn't duly protected by firewalls etc) 2. If someone breaks into the Nagios server, he or she does not get the public keys required for running commands on the remote servers. Can you explain that second statement? I'm not sure I follow what you are trying to say here. Why would getting public keys be a bad thing? They are, by definition, freely available anyway. What you CAN do, though it's kind of a p.i.t.a is, is have a key per command. So if you have something like check_disk, you can put a single key for just that command. On all the servers you roll this out to, you can secure it up
Re: [Nagios-users] NRPE vs. check_by_ssh
Hi Kevin, I carefully read your speech about this subject and I found you a lot of insist on security offering by ssh, but you can also configure nrpe to work with ssl so I think we will have no difference at this level, then what do you think? best regards 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Christopher McAtackney wrote: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- Cordialement, Idriss ARABBAJ -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
2009/3/25 Idriss ARABBAJ arab...@gmail.com: Hi Kevin, I carefully read your speech about this subject and I found you a lot of insist on security offering by ssh, but you can also configure nrpe to work with ssl so I think we will have no difference at this level, then what do you think? best regards -- Cordialement, Idriss ARABBAJ Don't top-post We have seen performance issues (in the key exchange phase mostly) using check_by_ssh with about 300 checks on a single host. NRPE using SSL has less overhead. Running a plugin using SSH took 7.5 to 10 seconds (various tests) and running the same with NRPE took 0.148 seconds at most. The target server is a big SPARC with 3 CPUs dual-core, dual-strand and 24GB, so is not a hardware issue Regards, -- Ciro Iriarte http://cyruspy.wordpress.com -- -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Hi Idriss, What I think? I think I learned something new! Thanks for telling me about the NRPE-with-SSL option; I was not aware of that. That said, I suspect that the overhead for SSL and SSH will be very similar, because under the hood they use quite similar algorithms. I want to say, they actually use the same, but I'm not sure if that is true. At least the way the connections are established are the same. Regards, Kevin Idriss ARABBAJ wrote: Hi Kevin, I carefully read your speech about this subject and I found you a lot of insist on security offering by ssh, but you can also configure nrpe to work with ssl so I think we will have no difference at this level, then what do you think? best regards 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Christopher McAtackney wrote: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently
Re: [Nagios-users] NRPE vs. check_by_ssh
Sorry to barge in (without reading the thread but...) Security wise NRPE lacks any form of authentication which is something SSH has so in this regard SSH is the more secure one... // Michael Medin Idriss ARABBAJ skrev: Hi Kevin, I carefully read your speech about this subject and I found you a lot of insist on security offering by ssh, but you can also configure nrpe to work with ssl so I think we will have no difference at this level, then what do you think? best regards 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Christopher McAtackney wrote: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Wouldn't the SSL certificates provide authentication comparable to SSH keys? I'm not familiar with how NRPE uses SSL, but I would assume that you could also use client certificates? Michael Medin wrote: Sorry to barge in (without reading the thread but...) Security wise NRPE lacks any form of authentication which is something SSH has so in this regard SSH is the more secure one... // Michael Medin Idriss ARABBAJ skrev: Hi Kevin, I carefully read your speech about this subject and I found you a lot of insist on security offering by ssh, but you can also configure nrpe to work with ssl so I think we will have no difference at this level, then what do you think? best regards 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Christopher McAtackney wrote: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. Cheers, Chris -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Kevin Keane skrev: Wouldn't the SSL certificates provide authentication comparable to SSH keys? I'm not familiar with how NRPE uses SSL, but I would assume that you could also use client certificates? I am no expert but AFAIK it merely encrypts the traffic ie, no certificates at all. If someone knows hoe to use certificates please feel free to let me know so I can add it to NSClient++ but what I have seen it is not possible... // Michael Medin Michael Medin wrote: Sorry to barge in (without reading the thread but...) Security wise NRPE lacks any form of authentication which is something SSH has so in this regard SSH is the more secure one... // Michael Medin Idriss ARABBAJ skrev: Hi Kevin, I carefully read your speech about this subject and I found you a lot of insist on security offering by ssh, but you can also configure nrpe to work with ssl so I think we will have no difference at this level, then what do you think? best regards 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Christopher McAtackney wrote: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Christopher McAtackney wrote: 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. No, you are right. I wasn't aware that NRPE could use SSL. In that case, NRPE would be pretty much the same in terms of performance as SSL. That said, I am generally concerned from a security standpoint about any kind of active checks going over the Internet. This is because if you are monitoring, in your example, 200 hosts, you have to poke holes into 200 firewalls (or into one firewall, and then set up SSL or SSH keys on 200 hosts). That's 200 potential security holes all over the place with little or no control, and on machines that may not necessarily be hardened for access from the outside world. Worse - active checks, by nature, cause a program to be launched and executed on the monitored client, and usually with very high permissions. You said that you check 2000 services, so that's 2000 plugins (give or take a few). What if a hacker found a way to compromise one of your 2000 plugins? You'd have a privilege escalation issue along with remote-launch capability. On 200 clients. Because of these concerns, I am using passive checks almost exclusively over the Internet (except for publicly available services such as HTTP or SMTP, of course); I wrote an agent that resides on the client as a wrapper around the excellent NSClient++ and performs the actual checks. It then forwards the checks to the Nagios server via NSCA over HTTPS. A second benefit is that this agent collects about 40 or so check results, and then sends all of them at once through a single SSL connection. That reduces the overhead of establishing a secure connection by a factor of 40. BTW, the agent is available as Open Source. Go to http://www.tntmonitoring.com . -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
On Wed, Mar 25, 2009 at 06:44:00PM +, Christopher McAtackney wrote: 2009/3/25 Kevin Keane subscript...@kkeane.com: I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Firstly, thanks for the detailed explanation of the issues involved in this choice Kevin, it's been very helpful. I'm curious though, could you elaborate on why NRPE is unsuitable if communication with my remote hosts is going to go via the Internet? Is it not sufficient that NRPE uses SSL? This may be more of a network security question than a Nagios one, but I've no real experience in either area unfortunately, so I appreciate any info you can give here. Cheers, Chris NRPE uses SSL, but it doesn't check certificates. As such, someone could spoof your IP, and run code, and get the results through NRPE. SSH does check certificates, and relies on a shared secret, making this impossible. -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null -- -- -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
2009/3/24 Christopher McAtackney crist...@gmail.com: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris SSH is going to slow it down on both sides of the communication. SSH does quite a bit more in terms of setting up the connection which involves using asymmetric encryption to setup a shared secret for symmetric encryption and verifying keys for the asymmetric part, verifying access, allocating a session. Whereas NRPE even with encryption just does a simple pre-shared secret for the symmetric encryption, much faster even if using the same encryption algorithm One thing you could do with SSH to speed it up (and I would argue make it faster than NRPE depending on the stability of your network)) would be to use ControlMaster. ControlMaster is a SSH v2 feature, where you create a connection and can open up multiple sessions with that ControlMaster for other SSH processes. This saves you not only the key-exchange heavy lifting but also you're not opening up a new socket on the remote host. In order to really make it worth it you'd have to spawn a process that was continuously connected. I wrote an ugly check_by_ssh that would spawn a ControlMaster if one didn't exist and use it if it did. Reduced the load/latency quite a bit for SSH checks. Though if I had to do it again I'd used 'ControlMaster auto' (man 5 ssh_config) and create a separate check that was responsible for maintaining the ControlMaster, then you could use the stock check_by_ssh without any modifications. That all being said, you might want to think about a distributed setup anyhow, if nothing more for redundancy. 200 servers and 2,000 checks is alot of responsibility for a singleton, you could break it 50/50 between two servers that could take over for the other one if it fails. .r' -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Michael Medin wrote: Kevin Keane skrev: Wouldn't the SSL certificates provide authentication comparable to SSH keys? I'm not familiar with how NRPE uses SSL, but I would assume that you could also use client certificates? I am no expert but AFAIK it merely encrypts the traffic ie, no certificates at all. If someone knows hoe to use certificates please feel free to let me know so I can add it to NSClient++ but what I have seen it is not possible... No, that wouldn't be possible. Encryption always requires some form of key or another. In SSL, the key is embedded in the server's certificate. The client certificate is optional; it also contains a second encryption key. If you use client certificates, in effect the traffic is doubly encrypted. You almost certainly *are* using certificates in NSClient++. But if you are using the standard Windows API functions, Windows transparently hides most of that complexity from you; the MSXML object and its ilk take care of it. You would be using the certificates from the Internet Explorer key store. Actually, when I described how the SSL connection can use single or double encryption, I lied. It is more complicated than that. The SSL keys are extremely long (1024, 2048 bits or more), and they have to be because by nature they don't change over years. SSL keys in the certificates are also the public keys of a public/private key pair. These factors make using the SSL key for encryption *extremely* slow. That is why in reality, public key encryption is only used for extremely short messages (measured in bytes, not kilobytes). To work around that, the client and the server generate yet another random key, this time a symmetric key (which has to be kept secret from anybody). This symmetric key is usually 128 bits or 256 bits. Unlike public-key encryption, symmetric encryption can be implemented very fast. This key is sent using the slow public-key encryption. The actual traffic is then encrypted using this second key, which will be thrown away after the connection ends. Incidentally, SSH works basically the same way. The only substantial difference is that the public keys comes from the authorized_keys file instead of a certificate. Both SSL and SSH actually allow you to use various different encryption algorithms and mechanisms for exchanging keys under the hood. You may, for instance, see DHE for the key exchange, RSA for the public/private encryption, and AES for the symmetric encryption and SHA for hashing (which I haven't even touched on). -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
On Mar 25, 2009, at 2:30 PM, RijilV wrote: 2009/3/24 Christopher McAtackney crist...@gmail.com: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris SSH is going to slow it down on both sides of the communication. SSH does quite a bit more in terms of setting up the connection which involves using asymmetric encryption to setup a shared secret for symmetric encryption and verifying keys for the asymmetric part, verifying access, allocating a session. Whereas NRPE even with encryption just does a simple pre-shared secret for the symmetric encryption, much faster even if using the same encryption algorithm One thing you could do with SSH to speed it up (and I would argue make it faster than NRPE depending on the stability of your network)) would be to use ControlMaster. ControlMaster is a SSH v2 feature, where you create a connection and can open up multiple sessions with that ControlMaster for other SSH processes. This saves you not only the key-exchange heavy lifting but also you're not opening up a new socket on the remote host. In order to really make it worth it you'd have to spawn a process that was continuously connected. I wrote an ugly check_by_ssh that would spawn a ControlMaster if one didn't exist and use it if it did. Reduced the load/latency quite a bit for SSH checks. Though if I had to do it again I'd used 'ControlMaster auto' (man 5 ssh_config) and create a separate check that was responsible for maintaining the ControlMaster, then you could use the stock check_by_ssh without any modifications. That all being said, you might want to think about a distributed setup anyhow, if nothing more for redundancy. 200 servers and 2,000 checks is alot of responsibility for a singleton, you could break it 50/50 between two servers that could take over for the other one if it fails. .r' -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null +1 on the control master. We have about 1000 checks over 300 hosts and using control master made the box much more stable and quite frankly usable. Saved a lot of plug in time outs as well. Think about 1000 checks every 5 or 10 minutes. That's 1000 encrypted tunnels that are going up and down. That's a lot of overhead for a quick check, let along if your server is checking say 5 or 10 things back to back. http://www.torchbox.com/blog/ssh_tips_2.html Charlie -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Charlie Reddington wrote: On Mar 25, 2009, at 2:30 PM, RijilV wrote: 2009/3/24 Christopher McAtackney crist...@gmail.com: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris SSH is going to slow it down on both sides of the communication. SSH does quite a bit more in terms of setting up the connection which involves using asymmetric encryption to setup a shared secret for symmetric encryption and verifying keys for the asymmetric part, verifying access, allocating a session. Whereas NRPE even with encryption just does a simple pre-shared secret for the symmetric encryption, much faster even if using the same encryption algorithm One thing you could do with SSH to speed it up (and I would argue make it faster than NRPE depending on the stability of your network)) would be to use ControlMaster. ControlMaster is a SSH v2 feature, where you create a connection and can open up multiple sessions with that ControlMaster for other SSH processes. This saves you not only the key-exchange heavy lifting but also you're not opening up a new socket on the remote host. In order to really make it worth it you'd have to spawn a process that was continuously connected. I wrote an ugly check_by_ssh that would spawn a ControlMaster if one didn't exist and use it if it did. Reduced the load/latency quite a bit for SSH checks. Though if I had to do it again I'd used 'ControlMaster auto' (man 5 ssh_config) and create a separate check that was responsible for maintaining the ControlMaster, then you could use the stock check_by_ssh without any modifications. That all being said, you might want to think about a distributed setup anyhow, if nothing more for redundancy. 200 servers and 2,000 checks is alot of responsibility for a singleton, you could break it 50/50 between two servers that could take over for the other one if it fails. .r' -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null +1 on the control master. We have about 1000 checks over 300 hosts and using control master made the box much more stable and quite frankly usable. Saved a lot of plug in time outs as well. Think about 1000 checks every 5 or 10 minutes. That's 1000 encrypted tunnels that are going up and down. That's a lot of overhead for a quick check, let along if your server is checking say 5 or 10 things back to back. http://www.torchbox.com/blog/ssh_tips_2.html Charlie -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null FWIW: I use both. I have about 400 internal servers that are considered to be trusted. I have another 50 or so that are outside our network (DMZ'd) and untrusted. To keep overhead low, I use NRPE on the internal hosts and check_by_ssh for the externals. Internally, using NRPE gives me greater flexibility in adjusting client thresholds (mounts to watch, varying memory ranges depending on how much is installed, etc). check_by_ssh gives me a secured, authenticated way of checking system externally (basic sshd_config setup to restrict ssh from nagios user and specific IP's only). I'm unwilling to use NRPE on an external, untrusted server, but don't want the overhead of encryption for internal, trusted systems... A. Davis Email: ncc...@gmail.com There is no limit to what a man can accomplish if he doesn't care who gets the credit. - Ronald Reagan -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Kevin Keane skrev: Michael Medin wrote: Kevin Keane skrev: Wouldn't the SSL certificates provide authentication comparable to SSH keys? I'm not familiar with how NRPE uses SSL, but I would assume that you could also use client certificates? I am no expert but AFAIK it merely encrypts the traffic ie, no certificates at all. If someone knows hoe to use certificates please feel free to let me know so I can add it to NSClient++ but what I have seen it is not possible... No, that wouldn't be possible. Encryption always requires some form of key or another. In SSL, the key is embedded in the server's certificate. The client certificate is optional; it also contains a second encryption key. If you use client certificates, in effect the traffic is doubly encrypted. Humm. The cipher used is ADH which is anonymous DH cipher suites in addition to a pre shared *known* secret (read un-secret). Again I am no expert but I always interpreted the secret key (DH) thingy as a key and not a certificate but mayhap I got it all wrong? (in which case it might be possible to use proper certificates?) And I am actually using openssl but mayhap it has a built-in keystore as well? // Michael Medin You almost certainly *are* using certificates in NSClient++. But if you are using the standard Windows API functions, Windows transparently hides most of that complexity from you; the MSXML object and its ilk take care of it. You would be using the certificates from the Internet Explorer key store. Actually, when I described how the SSL connection can use single or double encryption, I lied. It is more complicated than that. The SSL keys are extremely long (1024, 2048 bits or more), and they have to be because by nature they don't change over years. SSL keys in the certificates are also the public keys of a public/private key pair. These factors make using the SSL key for encryption *extremely* slow. That is why in reality, public key encryption is only used for extremely short messages (measured in bytes, not kilobytes). To work around that, the client and the server generate yet another random key, this time a symmetric key (which has to be kept secret from anybody). This symmetric key is usually 128 bits or 256 bits. Unlike public-key encryption, symmetric encryption can be implemented very fast. This key is sent using the slow public-key encryption. The actual traffic is then encrypted using this second key, which will be thrown away after the connection ends. Incidentally, SSH works basically the same way. The only substantial difference is that the public keys comes from the authorized_keys file instead of a certificate. Both SSL and SSH actually allow you to use various different encryption algorithms and mechanisms for exchanging keys under the hood. You may, for instance, see DHE for the key exchange, RSA for the public/private encryption, and AES for the symmetric encryption and SHA for hashing (which I haven't even touched on). -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
Michael Medin wrote: Kevin Keane skrev: Michael Medin wrote: Kevin Keane skrev: Wouldn't the SSL certificates provide authentication comparable to SSH keys? I'm not familiar with how NRPE uses SSL, but I would assume that you could also use client certificates? I am no expert but AFAIK it merely encrypts the traffic ie, no certificates at all. If someone knows hoe to use certificates please feel free to let me know so I can add it to NSClient++ but what I have seen it is not possible... No, that wouldn't be possible. Encryption always requires some form of key or another. In SSL, the key is embedded in the server's certificate. The client certificate is optional; it also contains a second encryption key. If you use client certificates, in effect the traffic is doubly encrypted. Humm. The cipher used is ADH which is anonymous DH cipher suites in addition to a pre shared *known* secret (read un-secret). Again I am no expert but I always interpreted the secret key (DH) thingy as a key and not a certificate but mayhap I got it all wrong? (in which case it might be possible to use proper certificates?) And I am actually using openssl but mayhap it has a built-in keystore as well? I stand corrected. Interesting... DH stands for Diffie Hellman (usually, that refers to the Diffie Hellman Key Agreement algorithm). I didn't know that openssl supported ADH (the A stands for anonymous), and I wonder how many other SSL implementations have it, since ADH really doesn't make much sense. According to the openssl documentation, ADH is actually the one cipher not included in the default list of ciphers. And with good reason, because, you are right, it does not do any kind of authentication, and therefore actually provides no security (not even from eavesdropping, because a man-in-the-middle attack is trivial). Diffie Hellman is actually used for most SSL connections, but in a different form. Basically, the idea behind DH is that both parties agree on two pre-shared large prime numbers. In the case of ADH, these same numbers are known to everybody in the world. In other forms of DH cipher, these two numbers are only known to the two parties exchanging information - that's what actually gets encrypted with the public/private encryption based on the keys from the certificates. When client and server want to communicate, both separately generate random numbers. These numbers truly are secret. The client then applies some mathematical magic between the random number and the two primes, and the server does the same on its end. Then the server sends the result of this magic to the client, and vice versa. Finally, both of them multiply the result of the other side's magic with their own random number. In the end, both sides end up with the same result, even though neither ever sent its random number. This final result is the key. I used to teach a network security class that included the math behind DH, but I still can't remember the details. Diffie and Hellman must have been brainiacs to come up with that. It basically is a very tricky way to get obscure the random numbers. Yes, it would indeed work without any certificate. You could think of it as a certificate with a zero-length public/private key (and with zero-length everything else, too). openssl does have a key store, in the form of a certificate store. Creating and installing proper certificates is not difficult. You can probably use self-signed certificates here. Since you have control over both clients and servers, trusting the certificate shouldn't be an issue. -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
2009/3/24 Michael Schwartzkopff mi...@multinet.de: Am Dienstag, 24. März 2009 10:45:08 schrieb Christopher McAtackney: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris hi, ust SNMP! No need to install anything on the target system. SNMP Agents are already installed on nearly all systems. Since everything speaks SNMP you can gather info about hardware, operation system AND applications, independent of any OS. nagios: check_snmp Greetings, -- Dr. Michael Schwartzkopff This sounds interesting Michael. I searched around a bit, but wasn't able to find a good introduction to using check_snmp. Could you suggest an article / tutorial / blog entry somewhere that would be suitable for a Nagios newbie? Cheers, Chris -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
Re: [Nagios-users] NRPE vs. check_by_ssh
I think you are comparing apples and oranges here, because in most situations that I can think of, the decision is dictated by the network topology. If you are exclusively on a trusted private network, check_by_ssh really doesn't offer any benefits. Conversely, if your topology involves the Internet or some other untrusted network (WiFi), then you wouldn't want NRPE in the first place. The only exception to the above that I can think of is when it comes to deciding between using check_by_ssh over an untrusted network, vs. NRPE through some other kind of tunnel or VPN. But in that case, you'd incur encryption overhead either way, and the comparison is very different from the question you asked. All that said: I don't have any first-hand experience, but I suspect that the impact of establishing 2200 ssh connections in a five-minute span (assuming that you are using a five-minute check interval) is pretty substantial. The main impact actually lies in establishing and tearing down the connections, key negotiations etc.; the encryption during the data phase probably has only limited impact because most checks only transmit a few bytes back and forth. SSH does much better with longer-duration connections when the keys are already exchanged. This is even more true if you have a router-based VPN, because in that case the overhead is offloaded to a different machine. So if you have the option of sending the checks as NRPE through one or a few long-term VPNs: you are probably going to be better off. Of course, in the big picture, your mileage may vary. Christopher McAtackney wrote: Hi all, I was wondering if someone could give a brief overview of the pros / cons of using NRPE to monitor my remote hosts versus using the check_by_ssh command? I'm aware that check_by_ssh increases the CPU overhead, but I'm not clear on the level of impact here - does this increase the load on the monitoring machine in direction relation to the number of hosts being monitored? For example, if I was using check_by_ssh to monitor, say, 2000 services spread across 200 hosts, would I experience significant slowdown on my monitoring machine? Cheers for any info, Chris -- Kevin Keane Owner The NetTech Find the Uncommon: Expert Solutions for a Network You Never Have to Think About Office: 866-642-7116 http://www.4nettech.com This e-mail and attachments, if any, may contain confidential and/or proprietary information. Please be advised that the unauthorized use or disclosure of the information is strictly prohibited. The information herein is intended only for use by the intended recipient(s) named above. If you have received this transmission in error, please notify the sender immediately and permanently delete the e-mail and any copies, printouts or attachments thereof. -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ Nagios-users mailing list Nagios-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nagios-users ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null
