Distributed monitoring vs nrpe

Paul L. Allen pla at softflare.com
Mon Mar 22 02:21:12 CET 2004


James Bowes writes: 

> 1. Is the plugin checking for nrpe safe and secure?

Depends what you mean by "safe and secure."  The traffic is encrypted,
so eavesdroppers cannot read the results.  However, unless you use
tcpwrappers to allow access only from trusted hosts, ANYONE can submit
queries and/or run DoS attacks. 

> 2. Is a distributed server the best way to handle things?

That depends very much on your precise circumstances. 

Check_nrpe works well provided your monitoring host has a fixed IP (or
else you cannot block outsiders using tcpwrappers) otherwise it is
insecure.  Check_nrpe also has problems with monitored hosts unless you
have a dynamic DNS solution.  Check_nsca is more secure than check_nrpe
since an explicit password has to be set, but unless the monitoring host
has fixed IP or a sensible dynamic DNS solution it won't work.
Check_by_ssh works (but is a bit of a pain to configure) provided your
monitored hosts have fixed IP or a sensible dynamic DNS solution.  However,
check_by_ssh will leave a lot of hanging processes at both ends if there
are problems. 

You can also use VPNs, but these too have problems with security,
reliability, recovery from outages, coping with IPs that change, etc.
PPTP is insecure but copes well with outages.  VTUND is secure but copes
badly with outages and tunnels TCP over TCP so you get exponential
backoffs (double-plus ungood). IPSEC with the Cisco extensions to deal
with outages is probably secure (the spec is too obfuscated to ever be
sure) and appears to cope sennsibly with outages. 

There is NO "one size fits all" solution to this problem.  For various
reasons, I prefer NCSA over NRPE, but that's what happens to best fit
my needs.  I started with NRPE, realized that it didn't fit my needs,
switched to check_by_ssh, realized it almost fitted my needs, switched
to NCSA.  But no two situations are alike, and I can envisage a setup
with a mix of all those solutions.  You'll just have to suck it and see... 

-- 
Paul Allen
Softflare Support 




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list