nrpe on Microsoft machines

[Michael Tucker]

On Friday, January 16, 2004, at 02:08  PM, Neil wrote:

> It's me again. I have question about security in NRPE service on 
> windows machines. Nagios is getting good visibility in where I work. 
> But their concern is that it's opensource. What can you say guys about 
> NRPE service? What's the best way of protecting it? The reason I am 
> asking this is because, nagios will be monitoring production servers.

Under Unix, nrpe can be run under inetd; so you have the benefit of tcp 
wrappers to improve security (a little). In theory, you also have SSL 
security available, which would be very nice; but in practice, I have 
been unable to get that to work (for Solaris 9).

Under Windows, I have to leave that answer to someone else. :-)

> And also, rstatd on solaris. Our solaris are in production too. What 
> can you say about security issues in rstatd if there are? Are there 
> any other alternatives to monitor solaris cpu, disk, etc?
> Thanks guys for your help.
> neil
>

As of 1997, there was a well-documented vulnerability in statd/rstatd 
(see CERT ®Advisory CA-97.26.statd, 
<http://www.cert.org/advisories/CA-97.26.statd.html>, "Buffer Overrun 
Vulnerability in statd(1M) Program"). But there have been effective 
patches that solve that problem since 1999. If your Solaris machines 
are up to date on their patches, don't think you should have a problem 
with that particular vulnerability.

Of course, any time you have a machine with RPC services (such as 
rstatd) exposed to the Internet, you face a certain amount of risk. My 
advice is to shelter your production servers behind a good firewall. 
Don't allow the Internet to "see" their RPC service ports. Only allow a 
server running Nagios *behind* the firewall to access those machines. 
If it must report to a Nagios server outside the firewall, you can do 
so via nsca (which has some nice encryption schemes available to it, 
including Blowfish and 3DES). At worst, the Nagios distributed server 
is the "sacrificial goat" that is visible to the Internet, and 
therefore subject to being hacked. Your production machines should be 
relatively secure in such a configuration.

I am using check_disk, check_users, etc., locally on a monitored 
Solaris host; using nrpe and check_nrpe to collect the results on a 
distributed Nagios server on that host's LAN (which does checks, but 
not notifications); and using nsca and send_nsca to pass the results to 
a central Nagios server, which does notifications, etc., but no active 
checks (only passive service checks).

Obviously, you have to be the final judge of your own security policies 
and how they are implemented, but personally, I feel pretty secure with 
such a setup. Your mileage may vary.

Yours,
Michael


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null