nrpe on Microsoft machines

Neil neil-on-nagios at restricted.dyndns.org
Fri Jan 16 21:58:13 CET 2004


Am I correct that nrpe on unix and rstatd on unix are 2 separate options? If 
it is, I just might as well go with nrpe. I thought, it was only for Windows 
machine. Problem is, where can I find nrpe for unix that will work on 
Solaris? 

About security, you're right. I will have to ask the guys to enable 
tcpwrapper the nrpe service. In that way, nagios will be the only one to 
connect to the daemon. 

Also eventually, if the managers will like nagios(coz now they liked it), I 
will present to them a distributed nagios setup. Does this mean that all the 
monitoring hosts will only be doing passive checks? 

Thanks for the advice. It really helped. 

Michael Tucker writes: 

> 
> On Friday, January 16, 2004, at 02:08  PM, Neil wrote: 
> 
>> It's me again. I have question about security in NRPE service on windows 
>> machines. Nagios is getting good visibility in where I work. But their 
>> concern is that it's opensource. What can you say guys about NRPE 
>> service? What's the best way of protecting it? The reason I am asking 
>> this is because, nagios will be monitoring production servers.
> 
> Under Unix, nrpe can be run under inetd; so you have the benefit of tcp 
> wrappers to improve security (a little). In theory, you also have SSL 
> security available, which would be very nice; but in practice, I have been 
> unable to get that to work (for Solaris 9). 
> 
> Under Windows, I have to leave that answer to someone else. :-) 
> 
>> And also, rstatd on solaris. Our solaris are in production too. What can 
>> you say about security issues in rstatd if there are? Are there any other 
>> alternatives to monitor solaris cpu, disk, etc?
>> Thanks guys for your help.
>> neil 
>> 
> 
> As of 1997, there was a well-documented vulnerability in statd/rstatd (see 
> CERT ®Advisory CA-97.26.statd, 
> <http://www.cert.org/advisories/CA-97.26.statd.html>, "Buffer Overrun 
> Vulnerability in statd(1M) Program"). But there have been effective 
> patches that solve that problem since 1999. If your Solaris machines are 
> up to date on their patches, don't think you should have a problem with 
> that particular vulnerability. 
> 
> Of course, any time you have a machine with RPC services (such as rstatd) 
> exposed to the Internet, you face a certain amount of risk. My advice is 
> to shelter your production servers behind a good firewall. Don't allow the 
> Internet to "see" their RPC service ports. Only allow a server running 
> Nagios *behind* the firewall to access those machines. If it must report 
> to a Nagios server outside the firewall, you can do so via nsca (which has 
> some nice encryption schemes available to it, including Blowfish and 
> 3DES). At worst, the Nagios distributed server is the "sacrificial goat" 
> that is visible to the Internet, and therefore subject to being hacked. 
> Your production machines should be relatively secure in such a 
> configuration. 
> 
> I am using check_disk, check_users, etc., locally on a monitored Solaris 
> host; using nrpe and check_nrpe to collect the results on a distributed 
> Nagios server on that host's LAN (which does checks, but not 
> notifications); and using nsca and send_nsca to pass the results to a 
> central Nagios server, which does notifications, etc., but no active 
> checks (only passive service checks). 
> 
> Obviously, you have to be the final judge of your own security policies 
> and how they are implemented, but personally, I feel pretty secure with 
> such a setup. Your mileage may vary. 
> 
> Yours,
> Michael
 


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list