Ndo 1.4b7 patch : SSL connections

nap naparuba at gmail.com
Thu Nov 6 14:36:57 CET 2008


On Thu, Nov 6, 2008 at 2:24 PM, Hendrik Bäcker <andurin at process-zero.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> nap schrieb:
>> Hi List,
>>
>>
>> I wrote a patch for ndo 1.4b7 (ndomod and ndo2db) : the SSL
>> connection. The code come from nrpe. I think this can be useful
>> with distributed Nagios, the communications between the secondary
>> nagios and ndo2db are in plaintext and we can see the name of the
>> host in it.
>>
> Nice thing.
>> The patch just apply the SSL connection to the sock of the
>> connection between ndomod and ndo2db (just for a tcp connection, i
>> don't think it is useful for unix socket...).
> I guess it becomes very useful for the situation of "outside-my-lan"
> nagios servers with "internal" db hosts.
Even in the LAN, it's easy to make a man in the middle attack with
ARP. And my security responsable do not want plaintext. Now He is
happy and allow me to put distribuated nagios in production :)

> But do you have ideas about the performance situation?
> encryption takes cpu time and ndomod is usual not very quiet on wire.
>>
>> In the patch you can see the dh.h file from nrpe. In nrpe it's
>> generated by ./configure but I don't know how to modified it. The
>> Makefile need the ssl lib too, but I don't know how to modify the
>> autoconf (I leave a Makefile.new in the patch to show what to
>> modify), if someone can help me on this ;)
> I will have a look at it.
Thanks.

>>
>> For the moment the patch apply the SSL for all connections, but
>> maybe we can put the use_ssl argument into ndo2db.conf and
>> ndomod.conf.
>>
> That would be the best way.
Ok, I'll see how to change it.

>> I test with a small server and 4000 services and I don't see any
>> overload of ndo2db or nagios due to the SSL. It can't be null, just
>>  small.
>>
> mkay... drop my above question ;)
I test on my small dev server (virtual machine...), I'll put in onto
my production server (6000 services) and see if the trafic of lo (ndo
connexion in tcp localhost) is high or the load average reach the top
:)


>
> Nice thing, I am on your side for testing and helping hands.
Thanks again :)

> Hendrik
Gabès Jean


> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
>
> iD8DBQFJEu/9lI0PwfxLQjkRAkUsAJ0T4PmN5cmtJjQ+SuDr6PEEXhzzswCZAQDx
> h/Zbezr0h0P0ujl4yPJxZ1E=
> =3D9L
> -----END PGP SIGNATURE-----
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Nagios-devel mailing list
> Nagios-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-devel
>

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/




More information about the Developers mailing list