check_by_ssh question

Andreas Ericsson ae at op5.se
Mon Mar 29 18:19:08 CEST 2004


Peter Gutmann wrote:
> Your assumption that I am simply reciting the opening paragraphs of a book 
> on the introduction to computer security is simply false. 

Sorry about that. It just pretty much sounded like it since you were so 
far off topic.

> While I have no 
> idea of your experience level with UNIX, networks, and the basic security 
> concepts (and you obviously have absolutely no idea of my experience). 

True. I jumped to conclusions. My apologies.

> The 
> most basic concept is knowing what you are protecting. 

Indeed.

> If you understood 
> what the purpose of  the ssh tools where (to build a encrypted channel 
> between machines http://www.openssh.com/goals.html ) that can then be used 
> to protect against snooping the user ID, passwords, and data from the 
> wire.  So, if you are looking to do authentication or detect attack 
> profiles with ssh, you are looking in the wrong place.
> 

I'm not. We were involved in a discussion regarding the added risk of 
running ssh from one server with passphrase-less key access to other 
servers. If you would have read the archives you would have known this, 
and could possibly have made a valuable contribution.

> While you are sure that I have been reading (and reciting)  the platitudes 
> (http://www.m-w.com/cgi-bin/dictionary?book=Dictionary&va=platitudes&x=19&y=13) 
>  posted on the Bugtraq mailing lists. You seem to be missing the point of 
> what I was saying. The best way to prevent an attack from your Nagios
> monitoring host on the hosts that you are monitoring is to prevent the 
> initial attack on the Nagios monitoring host in the first place. 

Blindingly obvious, but correct. The topic at hand, however, was how to 
minimize damage IF the monitoring server was compromised.

> Because 
> once the bad guy has access to the box that battle you are trying to fight 
> is lost (unless you added a intention bit to the TCP header :-).  So, you 
> are looking to fight the wrong battle (i.e. bringing a knife to a gun 
> fight).

I never go anywhere without a good trusty nuke. ;-)

> 
> You seem to be making a very common and very basic mistake. Not looking at 
> the whole problem. 

Looking at the whole problem requires indepth analysis of its smaller 
parts. How can you otherwise know what each part represents in the 
greater picture? In this thread we were discussing the specifics of 
check_by_ssh (as shown by the topic). General network security has other 
forums better suited for it.

> You seem to be looking at the piece of the puzzle 
> between that Nagios host and the hosts that you are watching. 

Correct. A very interesting piece as well, for obvious reasons, and one 
that belongs on the nagios-users mailing list.

> There is 
> simply no way to tell if the opening packets in a new TCP connection from 
> a machine (hosta) which is destined for the machine (hostb) are part of 
> your normal checks or the beginning of an attempted exploit of the machine 
> (ask the people from Network Flight Recorders www.nfr.com). You could
> attempt to correlate the initiation of a TCP connection to the monitored 
> host, and the startup of the check_ssh executable. However that would 
> consume a huge amount of resources for a very limited result (the easiest
> way to defeat this would be replace the check_ssh executable). 
> 

check_by_ssh works as it's supposed to. That's sort of the problem in 
this particular scenario.

The proper way around this as I see it would be to have a public / 
private key-pair for NRPE, and remove passphrase-less keybased ssh 
access from the monitoring server altogether.

> ----
> Peter Gutmann
> Peter.Gutmann at db.com
> 
-- 

Cheers,
Sourcerer / Andreas Ericsson
OP5 AB
+46 (0)733 709032
andreas.ericsson at op5.se


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list